Slashdot Mirror

← Back to Stories (view on slashdot.org)

Gov't Vulnerability-Disclosure Program Draws Heat

Posted by timothy on from the skeletons-in-closet dept.

AndreyF writes " Securityfocus.com reports: 'a long-anticipated program meant to encourage companies to provide the federal government with confidential information about vulnerabilities in critical systems took effect Friday, but critics worry that it may do more harm than good.' The article discusses both sides of the PCII question, but leaves me wondering why the pro argument rests on my trusting large corporate CEO's to 'do the right thing.'"

5 of 101 comments (clear)

  1. Only useful for gathering statistics by koody · · Score: 5, Interesting
    It seems to me that this will only be useful for statical purpouses. The legislation basically indemnifies the company from liability. Even if the company is asked to fix a problem, they refuse and are later attacked, no one can even point a finger at them if what the article says holds true.

    A key provision of the law bars the government from using the vulnerability information in any enforcement action against the company, or from using it as the basis for proposing new legislation or regulations on industry.[snip]

    Of course, the law wasn't intended as a shield for corporate negligence: information that comes to the government independently of the PCII reporting is still fair game.

    So if a company doesn't want to put any money in to securing their computer infrastructure, they simply report that and the govt can't force them. When an attack occurs, the company will point at the govt and say that the govt new that they "lacked the funds" or something to secure their comps.

    Incredible BS-law Protecting companies and enableing them to assign the blame on others. Is this really what the government wanted to achieve with the law, or was this simply the result of corporate lobbying?

  2. money talks... by segment · · Score: 5, Interesting
    So here's my excerpt for the moment...
    ...

    WASHINGTON (CBS.MW) -- When individual Americans are accused of helping terrorists, they're thrown in jail and their names are dragged through the mud.

    But when major U.S. corporations are caught trading with the enemy, they get just a slap on the wrist from the government.

    In the past two weeks, the government has revealed that 57 companies and organizations have been fined for doing business with terrorists, despots and tyrants.

    ...

    Each year, the government investigates thousands of cases of U.S. individuals or companies for alleged violations of the Trading with the Enemy Act and other statutes and executive orders that restrict free trade. Each year, the government imposes millions of dollars in civil penalties and prosecutes 10 or so criminal cases.

    We know why the companies are silent about what they've done. No one wants to be associated in the public mind with torturers, thugs and murderers, even if it's profitable to be associated with them in private. The companies' explanations, when available, show that even the most enthusiastic supporter of sanctions can run afoul of the law through no malice on their part.

    Source

    You don't want to get into whistleblowers now. Most of the times they're ridiculed even arrested and sent to rot for coming clean.
    --
    MoFscker
  3. Re:Encourage? It should be Mandate by Agent+Smart · · Score: 5, Interesting

    Mandate or not, the most serious vulnerabilities will be those that the company is ignorant of.

    If a company is aware of a serious vulnerability, and decides that it doesn't make business sense to correct, it has the option of making the government aware in order to limit the company's liability. Clever indeed.

  4. Excuse me, but .. by z0ink · · Score: 5, Interesting

    The last I heard funds are being tied up all over the place in the Dep't of Homeland Security. What makes them think they can, on a whim, create an organisation that would affect the security of systems nationwide? We need patches 0-second from the release of exploits at the rate things are going these days. Even though the government wouldn't be the one controling the release of anything, wouldn't involving them and especially the DoHS put a big slowdown on the process? It seems many system admin's patch only when they hear about it on the news. I wonder how long the gov't would wait before acknowledging that something is infact a problem - unless of course somebody releases a Terrorist.B virus?

    --
    Steal This Sig
  5. Better yet, immediate disclosure with immunity by A+nonymous+Coward · · Score: 5, Interesting

    Corporations should be required to disclose all problems with their products and infrastructure as soon as they know about them, and given immunity for doing so. Failure to disclose problems immediately would drop the immunity. I am all for suing the pants off the bastards when they hide defects and cover up and it is only found out after deaths and accidents. Remember Ford Explorers and Bridgestone tires? Remember Ford overheating electronics causing fires in the engine compartment? Remember GM side saddle fuel tanks? etc etc. I have no problem with companies making mistakes, but they better disclose them as soon as they find out, not try to cover up.

    --
    Infuriate left and right