Tech Companies Ask U.S. to Regulate Cyber Security
qtp writes "Wired reports that a group called the National Cyber Security Partnership, which consists of 'leading software companies' including Microsoft and Computer Associates and industry organisations such as the BSA, has asked the Department of Homeland Security to regulate what they call 'Cyber Security'. Representatives from Microsoft, Computer Associates, and the BSA headed the Security Across the Software Development Cycle Task Force that submitted this report to the Bush administration today. (For all of you who dread reading 123 page reports, there is a three page summary available as well. The Washington Post, Forbes, and Other Sources are covering this story as well. I hope this is just another [late] April Fools Day joke, but I'm afraid that this looks too scary to be real."
Business gets .gov to regulate security.
Regulation and "Approved By.." nonsense costs money.
MS, et al pay.
Open Source can't pay.
Non-approved things can't be used, ergo closed source wins.
If it's true, MS and BSA will argue that the open-source software has to be stopped because it will let terrorist see the code and come up with exploits based on it.
1f u c4n r34d th1s u r34lly n33d t0 g37 l41d
Adopting a "top-ten" list detailing industry best practices. Patches should be well-tested, small, localized, reversible, and easy to install. Patches would also not require reboots, use consistent registration methods, include no new features, provide a consistent user experience, and support diverse deployment methods.
I thought Microsoft was involved in the partnership. How is that going to work??
This is not a troll. MS patches generally violate some or all of the goals stated above.
I want to drag this out as long as possible. Bring me my protractor.
Big businesses ask the gov't to step in, because their processes are flawed and produce bad software.
Gov't is expected, in turn, to mandate these measures. Mandating them, of course, requires that gov't money be spent 'fixing' the systems that were flawed.
Hmm. I smell pork.
Big businesses like regulation. It costs them, but it costs their smaller competitors more in relative terms.
How to solve most of our problems: 1.Lots of nuclear plants. 2.Cure aging.
The BSA isn't just in business to chase down pirates of commerical software, they're also in the business of getting people to buy more. Effectively, what the BSA wants is for companies that don't buy any information security products to get in trouble with the SEC... therefore practically mandating that everybody by something from one of the BSA members.
"The report says programmers should be held personally accountable for security holes in the software they write."
Now we see, a shift of responsibility, to the programmers. Lets just try and put as many layers, as possible between the Corp Entity and responsibility as possible why don't we.
"The report said industry groups should work with the Homeland Security Department to look at ways to reduce liability, as well as examining whether new rules are needed."
And now we see a way to tie, the mass collection of data, that the GOV. is asking for, and private industry together.
This is one small step, further towards the Corp, Entity as Goverment.
My cat's picked up a Hammer. HEY! Put down that Hammer. Put Down that Hamm...THUNK!
This is not a troll, but where was RMS and others?
It would seem that computer security would be important for the whole computing community, not just Microsoft, CA, and HP.
The proper way to improve security is invalidate all those EULA disclaimers.
You've noticed the same kinds of disclaimers on the GPL, yes? If the warranty disclaimer on a Microsoft license is invalid, what makes the one on the GPL valid; and if it is not, then how would, say, the contributors to the Linux kernel fare if they were sued for a major security breach?
I think the fuss should be that it's a waste of time. Many of the recommendations seem to be
1) Have some committee make up some security standards.
2) Award gold stars to groups that take some security classes, or who create a "security culture" in their companies.
In other words, this is completely useless, and gives the impression that progress is being made. An analogy would be the Academy Awards, where the group of insiders gives out awards to other people who are in the group of insiders, yet thousands of horrible movies are still made every year.
Fascism trolls keeping me up every night. When I starts a preachin', he HITS ME WITH HIS REICH!
I said nothing about open source being more secure. I think it is more secureable, and I think it is better all around, but what annoys me is Microsoft whining that there is no one to sue with open source, when their EULAs have all manner of disclaimer. Microsoft should be sued for fraud. They claim to be more secure, brag about how they are secure, etc etc etc, and yet not only do the security holes continue to roll in, Microsoft blames everybody else for the problems.
Whereas open source fixes the problems without blaming others.
Infuriate left and right
If MS, CA, and friends have perfect, 100% secure software than I think they should stop hiding it and just sell it outright without the government's blessing. Since they do not, this buddy system might be an alternative to open source software. It could be good, but it could be abused. Considering only big players are involved right now (?), the latter seems more likely.
From the report, I gather they want to define security and then they can make sure they meet that definition. Make the rules and play by them, at least in legal terms.
The summary talks about a taskforce to develope "metrics", working with government agencies and get a thumbs-up, develope industry standards, have awards for secure software (can open-source software win?), create a security license accredation program, and make "the security of one's software a job performance factor."
Although, we all know from the DeCSS case that code "isn't free speech" when it's convenient. So the end result of this would be that the government can tell you what can and can't code.
I was fine with everything in the summary until I got to the "certification" part, but who knows, maybe my tinfoil hat is on too tight.
Qualitas edurus commercium, nullus penitus net rimor, nullus deus beneficium
Yup, that was pretty much my take on things (Rule 1: industry *never* asks for regulation without an ulterior motive), although I think that there's a bit more to it -- if any cronyism can be used by existing players, it might be a useful tool against challengers, forgetting about Open Source for a moment.
I'm all for the government issuing advisories, but regulation of security is not feasible. I remember reading about older military software -- the government used to try to do much more comprehensive security reviews of all kinds of software it used with tiger teams. Unfortunately, it turned out the extreme expense of this kind of thing isn't feasible in the real world, and still left holes.
If I had to give a government recommendation, it would probably be along the lines of:
* Issue advisiories. There are organizations like CERT that do this. Unbiased (not from a vendor), trustworthy information is difficult to come by.
* Issue best-practices papers. These are probably most useful to IT professionals, though it might even be a good idea to produce them for software developers. Microsoft recently collaborated with the Fed to produce a set of best security practicees documents for Windows. This is an easy thing to add to a company security policy ("[] must comply with USG Document #135F3 Best Practices"). It just tried to deal with a couple of common misconfigurations. It's *hard* to get this kind of stuff directly from a vendor (which frequently wants to hand out information that will encourage you to buy more or is more interested in putting a positive spin on their mistakes) or a consultant (who frequently wants you to buy more consulting services) or a security software (like a firewall) company, which is primarily interested in scaring companies into thinking that they need security software.
* Government certification of software intended for non-government use is a bad idea. It takes a long time, allows cronyism, can be used to attack some sections of the market (like most Open Source). It's perfectly reasonable for USG-use purchase requirements, but it's not reasonable for broader use.
* Producing a classification system *could* be very useful, where the government writes documents describing particular classes of software, but it not responsible for ensuring that a particular version of a program fits into a class of software. For example, a hypothetical class-local/1 might require that:
a) The software bounds-checks all memory accesses to data at the compiler level (free with some languages like Java, and can be done in C if necessary).
b) The software does not access the network.
c) The software does not write to any data files.
Others useful requirements for various classes of software might be: "The software does not provide privilege escalation within the UNIX operating system's privilege system (as a suid/sgid program or a daemon running as a different user does...there would be an equivalent for the Windows security system)", "All data that the software uses from the network is either exact-match checked or bounds-checked prior to use of any of that data, and a failure to pass checks results in that data not being used" (might be useful for simple network software, like clients of the daytime protocol). The government is great at writing requirements and making them publically available--let's use that. Then, if a company guarantees that they are compliant to a particular document in a contract, there is a clear point that they can be called on for non-compliance. Finally, there would be a market for software that can check software for some elements of compliance. Automated security checking is a major issue -- it's neat, it's more and more feasible (see CMU's Java proof-carrying compiler for some neat stuff. The problem is that there are currently no standards written by security folks who know what they're doing, so it's hard for businesses to ask for compliance to a particular level of security, and no tools that can certify programs to a particular level.
There are probably a lot more suggestions that the government could use, but this is a start...
May we never see th
We have a Republican president and they control half of Congress.
Since this proposal would extend the reach and powers of the Gov't, it will never pass. Republicans are for a smaller government, remember?
Wait. Why are you laughing?
rather than a scheme for total world domination.
These companies are basically trying to erect additional barriers to entry into the software market: costly certification and training requirements, costly documentation requirements, etc. They know that they can satisfy them, but a small software vendor or an OSS project can't.
And they make those recommendations knowing full well that they won't work. If they knew how to make more secure software, they'd already be doing it. A bit of training and certification just is not sufficient for making software more secure.
what seemed to be a reasonable plan of action [...] However, at this early stage I see nothing more than an attempt to codify a national stance on computer security.
What's there to "codify"? What's reasonable about it? There is not a shred of evidence that the "strategy" described in the report will do anything to improve security.
At this point, we have to conclude that people continue to buy insecure software either (1) because they don't have a choice because of Microsoft's monopoly, or (2) because they don't care about security. If (1) applies, then the solution is to break up Microsoft's monopoly and give people a choice in software; then they can pick the level of security they like. If (2) applies, then what business does the government have to force a level of security into products that buyers don't want?
Realize that this is a *distribution* license. So, the best way to take the above is that if you distribute a GPLed program to someone and that someone never distributes the program under the GPL, but they try to sue you, you can't punt the problem up to the person who gave you the program.
The GPL, at each link, prevents handing over liability to the next level. So, generally, each company who distributes a GPLed program is liable. This, nicely, also fits well if companies become the main provider of GPLed software since they're likely selling it to you. Works pretty nice, eh?
Eurohacker European paranoia, gun rights, and h