Slashdot Mirror

← Back to Stories (view on slashdot.org)

Tech Companies Ask U.S. to Regulate Cyber Security

Posted by michael on from the help-us-because-we-can't-help-ourselves dept.

qtp writes "Wired reports that a group called the National Cyber Security Partnership, which consists of 'leading software companies' including Microsoft and Computer Associates and industry organisations such as the BSA, has asked the Department of Homeland Security to regulate what they call 'Cyber Security'. Representatives from Microsoft, Computer Associates, and the BSA headed the Security Across the Software Development Cycle Task Force that submitted this report to the Bush administration today. (For all of you who dread reading 123 page reports, there is a three page summary available as well. The Washington Post, Forbes, and Other Sources are covering this story as well. I hope this is just another [late] April Fools Day joke, but I'm afraid that this looks too scary to be real."

7 of 371 comments (clear)

  1. interestingly by Anonymous Coward · · Score: 3, Informative

    they propose that gov't should regulate security in specific industries, like banking or telecom, and not a blanket "one-size-fits-none"

  2. Look what they snuck in.... by lysium · · Score: 4, Informative
    From the Summary pdf:
    Ensure that Software Assurance and other Information Technology Centers of Excellence include an information protection component (Emphasis mine).

    Is it any surprise that Microsoft's security recommendations would include Palladium?

    ====---====

    --
    Together, we will drive the rats from the tundra.
  3. Wrong Comparison by Anonymous Coward · · Score: 5, Informative

    You've noticed how EULA is typically attached to things you pay MONEY for? (and get sued for using if you have not).

    Have you also noticed how GPL'ed products are free (as in speech, but also, often, as in beer).

    Notice how EULA does NOT usually cover things for which you have access to source code?

    The point is simple - when you BUY software, the software VENDOR should carry responsibility.

    GPL'ed software is given away - no money is charged. Thus, the GPL can say "we're just doing this for fun, use at your own risk"

    In contrast, paying money and accepting the license as part of the transaction makes it a contract. The contractor should be held responsible for his work.

    (I know, IANAL, playing fast/loose with the term ``contract'', etc.. But the chief distinction is MONEY)

  4. This is an ITAA group by gminks · · Score: 5, Informative
    National Cyber Security Partnership was set up by ITAA

    ITAA is the lobbying arm of high tech corporations.

    For insight on how ITAA sets up these "blue ribbon panels", read this article about a meeting of electronic voting manufacturers. They brought in Harris Miller, ITAA's president, to see how he could help them.

    Highlights from the article:

    • ITAA felt the industry should help create its own credebility by setting high standards.
    • ITAA suggested "re-engineering" the certification process to make the industry the "gold standard" so they can eliminate "side attacks you are subject to now from people who are not credible as well as people who are somewhat credible
    • Harris Miller offers the following comments on how ITAA company partnerships would handle the public debate about electronic voting:
      "Similarly, when we get press calls and the press says 'Joe Academic says your industry's full of crap and doesn't know what it is doing.' What do you say Harris? The reporters always want to know what are the companies saying?.. And there can be two scenarios there: The companies may want to hide behind me, they don't want to say anything... frequently that happens in a trade association, you don't want to talk about the issues as individual companies. ...I take all the heat for them."

    How is any of that related to the topic at hand? These panels we see approaching the government are coalitions formed by a lobbying firm that is paid to protect the interests of its clients. The panels are made to look as if they are unbiased experts that are only looking out for the good of all Americans. The truth is they want to control the conversation so it seems as if they are the only ones with relevant information on the subject at hand.

    Harris Miller and the ITAA have been doing this for many years, and their MO is always the same. This The National Cyber Security Partnership is nothing more than an extension of ITAA's lobbying efforts.

    displacedtechies.com

  5. DCID 6/3 - Security Standardization by Midnight+Warrior · · Score: 2, Informative
    When it comes to security, parts of the government do understand how to do it right. Take DCID 6/3. This is a policy directive from the Director of Central Intelligence Directorate entitled "Protecting Sensitive Compartmented Information Within Information Systems." This thing really writes the book on quantifying security requirements and matching that against what is actually implemented.

    Look at it as a certification process. Each project tasked with protecting data on a computer (networked or not) has a security posture and a security officer responsible for ensuring that the declared posture is enforced.

    This is what a bunch of people at /. fear: they expect the government to try and make it all completely secure and fail, but rather what they fail to see that government will only quantify and validate the level at which an information system is protected. This means it's not a black and white world, but rather the level of protection is paired against the threat of compromise.

    A bunch of you also think this has only to do with preventing a network-based attack. And while that is in play, don't forget corporate espionage. That foreign temp worker your boss hired could be walking out with all the spreadsheets the accounting department values. This problem, by the way, is addressed in trusted operating systems such as talked about in this article asking about Trusted Linux vs. Trusted Irix or Trusted Solaris.

    DCID 6/3 works both sides of that problem and quantifies for management what kind of protection their dollars have bought them.

  6. Re:EDUCATE IT and CS students on SECURITY!! by bool · · Score: 2, Informative

    The NSA has been on to this one for a while now. They are acrediting university programs and offering som epretty nice scholorships for the students that participate in them. Look it up sometime if you want to get into a shcool that offeres good security classes.

    --

    ----------
    while (alive) { Work(); PayTaxes(); Eat(); Sleep(); }
    Bool
  7. Re:Smells like a replay of the AT&T monopoly by einnor · · Score: 2, Informative

    The GPL license explicitly states that you do not need to accept the license to USE the product. However, it is a copyrighted work, so you do not have the inherent right to distibute the work. If you wish to DITRIBUTE a GNU product, the only way to legally do so is to accept the GNU license.

    So GPL is fundamently different from EULA. The EULA claims that by using the software you accept the license. The GPL claims that by distributing the software you accept the license.

    --
    Acronyms Obfuscate