Watch For A New Set Of CyberSecurity Laws

SuperDuG writes "According to a story on PCWorld.com the Congressional subcommittee dealing with cybersecurity will be researching and legislating new cybersecurity laws. The Chair, Adam Putnam says 'We want to put something out there that makes sense, that's balanced, that accomplishes the same goals, without it being this headlong rush to prove that we're doing something for our constituents because we were asleep at the switch when there was this digital Pearl Harbor.' Perhaps it wouldn't hurt if we all took a part and Contacted Representative Putnam about how well thought out other cybersecurity laws like the DMCA have 'helped out' and were 'thought out.' At least they're actually thinking before they legislate, and it seems they're open for suggestions."

OS vendor liability

[Animats]

Suppose it worked like this:

• Operating system vendors who sell, for money, systems which connect to a network are liable for damages to third parties caused by security flaws in their products.
• This liability applies to all new product sold one year after the enactment of the act.
• Class actions are allowed.
• The buyer of the product cannot be required to have the product updated or serviced after the original sale.

This would make Microsoft (and Red Hat, etc.) liable for security holes which allow virus redistribution, distributed denial of service attacks, and similar situations where the victim and the customer are different.

The "no servicing" requirement means that a patch-based or signature-based approach to security doesn't relieve the vendor of liability. The system has to be secure as delivered.