Slashdot Mirror


Tech Companies Ask U.S. to Regulate Cyber Security

qtp writes "Wired reports that a group called the National Cyber Security Partnership, which consists of 'leading software companies' including Microsoft and Computer Associates and industry organisations such as the BSA, has asked the Department of Homeland Security to regulate what they call 'Cyber Security'. Representatives from Microsoft, Computer Associates, and the BSA headed the Security Across the Software Development Cycle Task Force that submitted this report to the Bush administration today. (For all of you who dread reading 123 page reports, there is a three page summary available as well. The Washington Post, Forbes, and Other Sources are covering this story as well. I hope this is just another [late] April Fools Day joke, but I'm afraid that this looks too scary to be real."

27 of 371 comments (clear)

  1. Smells like a replay of the AT&T monopoly by A+nonymous+Coward · · Score: 5, Interesting

    Back in the early 1900s, there used to be a ton of independent phone companies. In spite of using different voltages, ringing systems, etc, they interoperated pretty darned well. But AT&T wantd to be big and was buying them up, and those who wouldn't sell were effectively isolated, the main excuses being interoperability problems. The stink began getting stronger, and eventually AT&T got the government to regulate it as a utility, so it could remain intact and simply be THE phone company. Only the ignorant think regulation was imposed on AT it was their idea.

    This smells to me of the same process. Being sued for security holes would be much more effective at increasing security than some hare-brained government regulation scheme. After having thought up all those EULAs which disclaim all responsibility, and blustered about Linux having no-one responsible, this is just another big corporate scheme to maintain their power and squash the small guys, and place the blame elsewhere.

    The proper way to improve security is invalidate all those EULA disclaimers. A few big lawsuits with billions in damage verdicts would do far more to focus Microsoft's attention than any government regulatory body.

    1. Re:Smells like a replay of the AT&T monopoly by Tophorn · · Score: 2, Interesting

      You make a good point about affecting large corporations wiht lawsuits, but who gets sued when my linux server gets hacked? I would venture to guess that the average Open source contributer can't afford "big lawsuits with billions in damage verdicts". OSS may be (by design) more secure than closed source software, but if you think OSS is perfectly secure, then i suggest you go do your homework some more.

    2. Re:Smells like a replay of the AT&T monopoly by mytec · · Score: 3, Interesting

      The proper way to improve security is invalidate all those EULA disclaimers. A few big lawsuits with billions in damage verdicts would do far more to focus Microsoft's attention than any government regulatory body.

      Yeah, that will make a lot companies/independent coders want to release code. Imagine not releasing code until you are positive there are no exploits or holes in your code. I don't see too many claims of *cough* unbreakable software going around save for Oracle.

    3. Re:Smells like a replay of the AT&T monopoly by cavemanf16 · · Score: 1, Interesting

      I can understand you're reasoning, but remember that software is an intangible product so to speak. Anotherwords, all it costs to produce further software or improve upon existing software is time and effort, both of which do not REQUIRE payment to do. So although I can see Microsoft, CA, and the BSA wanting regulation so that they don't have to expend more money to produce closed source software, I think the proverbial cat is outta the bag and cannot be stuffed back in. Just look at the rest of the world. Us USians seem to be the only country completely stuck on MS Windows as a "best practice" business concept right now.

      I think this is just a lot of blowing smoke up the gov's ass and won't amount to much in the end. (Or at its worst the US will impose software regulation and stagnate software development in this country while the rest of the world innovates and competes more successfully for "software dollars")

    4. Re:Smells like a replay of the AT&T monopoly by nelsonal · · Score: 2, Interesting

      Software is complex like many manufactured goods, (think car engines or buildings) how come cars can be made generally bug free or bugs are the responsibility of the manufacturer but software is generally taken to be impossible to make perfect? I'm not a computer scientist and my ability to code is only slightly more than the occasional script or applet, so please forgive my ignorance. I would have thought that quality issues were a factor of newness rather than impossibility.

      --
      Degaussing scares the bad magnetism out of the monitor and fills it with good karma.
    5. Re:Smells like a replay of the AT&T monopoly by MrAngryForNoReason · · Score: 5, Interesting

      You make a good point about affecting large corporations wiht lawsuits, but who gets sued when my linux server gets hacked?

      In order to claim damages in such a lawsuit you would have to prove that the company in question knew about a vulnerablilty and didn't fix it. Therefore showing negligence on the part of the company.

      To apply this to OSS you first need to distinguish between free and Free software. If the linux distro you were using was Open Source but commercial, meaning you paid money for it, making it Free (as in speech) but not free (as in beer) then the same rules would apply. They would be responsible for damages if they knew about a vulnerablility but didn't patch it.

      If the software was free (as in beer) then the developers shouldn't be held responsible for any flaws in the software. There is no contract between you and them, they have not promised you anything by allowing you to use their software free of charge.

      By making this distinction you make commercial OSS software developers equally liable for negligence without opening up small OSS projects to litigation they have no chance of surviving.

      This is of course all hypothetical as at the moment no software companies accept any responsibilty for flaws in their software. And of course IANAL.

  2. is it just me.... by chrisopherpace · · Score: 2, Interesting

    or is it really hard to take this seriously when Microsoft's name is on it? On the other hand, pretty much anything that MS is involved in (other than anti-trust lawsuits) with the US is equally scary.

  3. Maybe... by Guspaz · · Score: 3, Interesting

    NetForce isn't that far off :p

  4. um... its April 2nd guys... by Shirov · · Score: 5, Interesting

    The process sub-group will work with major software vendors and key critical infrastructure customer organizations to encourage and aid vendors in their adoption of the recommended low defect, higher security-oriented practices and processes.

    Wouldnt it just be easier to pass laws making software vendors responsible for the bugs that they produce instead of spending our tax money to provide a shelter for insecure code?

    I can see the next big M$ lawsuit...

    Plaintiff: Their buggy code cost us millions.

    M$: But we follow the homeland security software development model.

    Judge: So the software must be good. Perhaps the plaintiff was trying to do something illegal?

    Plaintiff: Shit... *sigh*

    1. Re:um... its April 2nd guys... by Minna+Kirai · · Score: 2, Interesting

      Wouldnt it just be easier to pass laws making software vendors responsible for the bugs that they produce instead of spending our tax money to provide a shelter for insecure code?

      That's half an acceptable idea, and half a horrible one.

      Not spending federal funds to protect insecure code: good.
      Spending federal funds to punish insecure code: bad.

      (Notice the pattern here? "Spending federal funds" should be considered a bad thing in general, unless specifically shown otherwise. Smaller government should be preferred by default.)

      If the government scaled back on spending to capture and punish virus-authors and other hackers*, they'd save money, enhance freedom of speech, and yet authors of insecure software would still be punished.

      They'd just be punished in the marketplace, not the courts. And that's the best place for it.

      Imagine if the next time an Outlook worm brought down all email servers for 12 hours, the police found the guy and put him back on the street with a $100 fine? Microsoft would suddenly face a tremendous pressure to finally fix the code, or face losing all their big corporate customers. Allowing the free market to dispense punishment in the form of lost revenue is the best way, because it shields small hobbyiest programmers from arrest when a user claims "Your screen-saver erased my hard-drive!"

      * Yes, virus authors are really one kind of hacker, no matter what ESR claims

  5. What's the fuss? by Aardpig · · Score: 5, Interesting

    Sure, Microsoft and the BSA aren't the bosom buddies of most Slashdot readers. And for good reason. However, a quick look through the 3-page summary document revealed what seemed to be a reasonable plan of action, rather than a scheme for total world domination.

    Of course, if it turns out that the outcome of the regulation process is Microsoft-controlled security protocols and procedures, then there's something to beef about. However, at this early stage I see nothing more than an attempt to codify a national stance on computer security. Accordingly, I'm going to leave my tinfoil hat in its box for the moment.

    --
    Tubal-Cain smokes the white owl.
    1. Re:What's the fuss? by forand · · Score: 2, Interesting

      While I usually don't see a reason to stop regulation of an already regulated market( cause someone is already in the lead and removing societies only way to force them to behave doesn't help) but in cases where there is an emerging market I think that regulation, for things other than environmental impact and a few other things, should NOT be implemented. How is this going to help? As noted above all this does is provide software providers with a way of saying: "We followed all the RULES so we didn't do anything wrong." Now if we allowed companies and consumers alike to sue the software developer for delievering a product that was known to be insecure then the software companies would have a reason to make secure software. The regulation does not provide a reason to make secure software it defines what that is which can change or be wrong.

      but I am just one taco loving freak

  6. Help, Help, we might get sued! by lucifuge31337 · · Score: 5, Interesting

    Quote from the Washingtonpost.com article:
    "[It] is possible that national security or critical infrastructure protection may require a greater level of security than the market will provide," it said. "Any such gap should be filled by appropriate and tailored government action that interferes with market innovation on security as little as possible."

    In other words, "The legal climate is such that we are very likey to start getting sued for coding sloppy, insecure software. Rather than properly staffing to test our code, we'd rather have the taxpayers pay for this. This a.) saves us money and b.) puts the responsibility on someone other than us if there is a security problem."

    --
    Do not fold, spindle or mutilate.
  7. Re:interestingly by TykeClone · · Score: 2, Interesting

    They do regulate security in banking. It has become a "safety and soundness" issue in the last couple of years.

    Nothing more fun than having a bank examiner talk to you about network security - when they don't know much about it.

    --
    A fine is a tax you pay for doing wrong and a tax is a fine you pay for doing all right.
  8. Re:cyber security? we already have that! by TykeClone · · Score: 2, Interesting

    Yeah - that was some good work to do.

    As a bank, we were well on our way to getting everything ready to go, and then we had our exam and were "asked" to document everything.

    Long story short - the regulators tripled the amount of work to do without effectively adding any additional safety to the banking system.

    --
    A fine is a tax you pay for doing wrong and a tax is a fine you pay for doing all right.
  9. Re:Business calls for U.S. help in Net security by Tenebrious1 · · Score: 4, Interesting

    "The report says programmers should be held personally accountable for security holes in the software they write." Now we see, a shift of responsibility, to the programmers.

    Ok, if they want to make me "accountable" for the code I write, then they better transfer ownership, legal rights, and any profits derived from that code back to me. If they say "it's our code" and "you get no extra cash for writing it" then they can damn well take responsibility for what the code does.

    --
    -- If god wanted me to have a sig, he'd have given me a sense of humor.
  10. Seems pretty simple to me... by Glamdrlng · · Score: 4, Interesting
    I hate it when corporate agendas are this obvious, it makes me think I'm missing something, but I can't discern it from the obvious scheming. The crafty and subtle plot gets obfuscated by the blatant one.

    Let's see if I got this right...

    1. Distribute a development platform called .NET that allegedly does away with insecure coding practices.

    2. Influence laws and regs such that any software not coded on a "secure platform" such as yours is illegal.

    3. Let the feds regulate your competition out of existence.

    4. Profit!

    If this comes about, the only way F/OSS software will survive in the US is if both a Linux distribution and a Linux development platform can be constructed that will meet the same requirements that the conglomerate is pushing for. Of course, we're screwed with a capital F if the regs call for technology that Microsoft (or one of the other member companies) has patented.

    So I guess now it's "If you can't innovate, litigate... unless of course you have political influence, in which case, regulate!"

    --

    Yes, my only tool is a hammer. And you're starting to look like a nail.
  11. Puff Piece by rnturn · · Score: 2, Interesting

    The report that is...

    So they propose that:

    • certifications
    • awards
    • educational programs
    and that these are going to result in secure software? So they still believe in Silver Bullets.

    Sounds like all these software houses -- who have been touting the superiority of the proprietary development model and decrying the open source development methodology for some years now -- cannot seem to figure out how to adapt their "superior" process to produce secure software. Oh, and let's get academia involved to educate future software developers in the proper way to create secure software. Which means, I take it, that the proprietary software houses have been unable to get their current developers to produce secure software. Following this plan will result in the first crop of (supposedly) secure software developers getting their first jobs in, oh, about 2015.

    So... I see this report and the suggestions contained in it as an indication that that Microsoft (and others but predominantly MS) has utterly failed in the attempt to introduce security into their product lines. Even after all of Bill Gates's pep talks and internal memoes. Now they think that creating a bunch of undergraduate courses in secure programming, certifications, and awards to software companies will somehow result in a new breed of software that won't be susceptible to worms and viruses. To me that says: ``We, the proprietary software industry have finally come to realize that writing secure software is quite beyond our capabililties and we make these suggestions so that other people can figure this out for us so that we merely have to hire new people who are already trained to do this. And, of course, these programs should be paid for by the Government.'' No. Strike that. They'd be paid for by you and me. Twice. First in the taxes that would go to create these educational programs and the certification organizations. Then, again, when the price of the software goes up because, well, now it's secure software and that's worth paying extra for isn't it?

    Funny that open source software -- and, to be fair, some proprietary software -- isn't anywhere nearly as vulnerable to the sorts of attacks that Microsoft's is. Because, it seems, those Neanderthal open source programmers didn't have the insight to include features that automatically run code by clicking on mail attachments, include scripting languages inside applications that have the ability to destroy user data or launch unrelated programs that damage the local and/or remote systems, or, ... (the list goes on).

    Wonder where all those open source programmers managed to learn about writing secure software (yes, yes, yes... I am aware even OSS can occasionally have bugs that affect security) without a college program, certifications, and industry awards? And how do they do it without a government subsidy? Oh, yeah. I forgot. They're able to do it because they don't have some pinhead from Marketing ranting and raving that seven new features need to be in the product in time for the next trade show and there is no time to waste with any discussions about how these features destroy the integrity of the software. Companies like Microsoft won't create more secure software once these programs are in place. Even if they are able to grab every straight-A, magna cum laude graduate of these programs in the country. Why? Because these poor folks are still going to have to answer to some pinhead from Marketing ranting and raving that all these new features need to be in the product in time for the next trade show.

    I sure as hell hope that some articulate luminaries in the open source development community have the opportunity to submit a report to the folks that are going to be reviewing this piece of tripe. The opposing viewpoint and an alternate plan needs to be heard.

    (Heh. If reading the summary got me this ticked off, imagine if I'd read the entire report!)

    --
    CUR ALLOC 20195.....5804M
  12. Re:FLOSS developers don't point fingers by Short+Circuit · · Score: 2, Interesting

    Grayscale, actually.

    Some OSS developers will point fingers, primarily with "Autoconf 1.4 is crap. Use 1.7 instead" or "The DRI Radeon driver doesn't handle that well, try using the ones from ATI's website."

    You'll often see a conflict between keeping the code elegant and keeping it broadly compatible. The OSS developers I've interacted with tend to focus on the "elegant" aspect.

  13. software vendors shouldn't be liable by hak1du · · Score: 2, Interesting

    Wouldnt it just be easier to pass laws making software vendors responsible for the bugs that they produce instead of spending our tax money to provide a shelter for insecure code?

    Security is an engineering tradeoff, just like speed and usability. I don't want every software vendor to have to conform to the highest level of security out of fear of getting sued.

    The people who should worry about this sort of thing are the buyers of software. If your car mechanic can't fix your car in time because his PC got broken into, you go to a different car mechanic and he will go out of business. If a hotel can't accept reservations because their reservation system got hacked, they go out of business. For small businesses, those kinds of feedback mechanisms work pretty directly and after that sort of thing has happened once to a small business owner, they'll generally have learned their lessons.

    The problem is with non-competitive markets: many people have to buy Windows no matter how insecure it is because the software they need only runs on Windows. And you can't change airlines or banks just because they keep having security problems--there are too few of them around.

    If we create efficient, competitive markets in software, banking, airlines, etc., then the security of software will adjust to the optimal levels demanded by the market. Our problem is not lack of government regulation, it is lack of efficient markets.

    In short, if we want secure software, the government should simply get more aggressive on anti-trust enforcement again. And they should do so first of all against Microsoft so that buyers have a real choice. That's the sort of government activity we need, not bogus "security standards" which aren't going to work anyway.

  14. Two Things. by Anonymous Coward · · Score: 1, Interesting
    1) This is the same crod that has fought to scuttle any and all government standards before. They would only be helping now if they felt that it would in some way benefit them or that they have no other choice. Since the DOJ has been actively focusing more and more on "piracy" lately I presume that this is the former. In which case we have to ask who will be targeted.

    The Summary itself is primarily concerned with eceonomic benifits and the software industry. Since OpenSource software is not considered a "money making endeavor" then we can reasonably presume that it doesn't count as "industry". (Note: I am not asserting that people cannot be or are not now employed gainfully by Opensource only that Congresscritters generally think so).

    A sample list of "recommendations" include:

    • DHS/NCSD should examine whether tailored government action is necessary to
      increase security across the software development lifecycle;
    • Develop sample performance metrics for administrators/IT Departments that
      encourage effective action;
    • Develop a multi-company program offering rewards for information leading to the
      conviction of cyber criminals;
    • Track and measure, and then certify, effective development processes
    • Create a program with government and industry support for Information
      Assurance/Computer Security faculty that provides a grant or reward for innovative
      educators in applicable fields for a fixed period of time;
    • Create a National IT Security Certification Accreditation Program.



    All of these suggestions are targeted specifically at "industry" (I.E. Microsoft) and seem likely to carry sufficient costs/licencing issues to lock OpenSource systems and those proprietary systems that are produced by small companies out of the market (particularly for lucrative government contracts).

    While this is only a talking points memo it might be worthwhile for those ./ers in the U.S. to think about contacting their congresspersons. Perhaps not right yet (we don't want to draw attention to it) but soon. It would be especially effective if those /.'ers who are self-employed or work as part of small businesses might work to explain how a costly licencing program would cost them jobs. Similarly those employed by larger firms might explain how a costly govt program would turn them away from cost-saving alternatives that allow the company as a whole to save money and thus hire new people in the U.S. (It's all about jobs). Lastly those in the security world might explain how their ability to develop good software could be harmed by this.

    Mind you, I'm not arguing that government standards are inherently bad. I am, however arguing that any standards, if they exist should level the playing field and enhance security not lock out some players and bring us more into a monoculture.

    Just some suggestions.

  15. Just like Walmart by Anonymous Coward · · Score: 1, Interesting

    As I understand it, lawyers for some big, national retailers in the USA were enthusiastic supporters of ending the sales tax exemption on Internet-based purchases. For a large operation that has scores of accounting and legal expert resources on staff anyway, understanding, comprehending and complying with the diverse tax laws of 50 states is a miniscule incremental cost. For a mom-and-pop operation it makes the cost of entering or continuing a small business, that might have national or even world-wide reach due to the Internet, prohibitive.

  16. Does 'Cyberterrorism" even exist? by faust2097 · · Score: 3, Interesting

    Has there ever been a documented case of actual 'cyberterrorism' against the US? It seems like all the laws and hoopla around it seem to do is hand out extremely long prison sentences to script kiddies. Most of the criminal hacking I've ever heard of was for person gain or just for reputation/attention getting. Has any actual group successfully launched anything that could be considered a terror attack?

    Even the fairly cohesive stuff like the long-running India vs Pakistan web site defacement battle is just a really annoying flame war.

    1. Re:Does 'Cyberterrorism" even exist? by Ironsides · · Score: 2, Interesting

      You have a good point here. Besides, can anyone tell me the last time a Hacker/Cracker/Script Kiddy or anyone, using a computer, physically injured or killed anyone? I meen come on, last I heard the chance of getting struck by lightning while carrying the winning the lottery ticket to the powerbowl was higher than getting killed due to a computer error or so called 'Cyberterorism'.

      --
      Fly me to the moon Let me sing among those stars Let me see what spring is like On jupiter and mars
  17. Tell you what.... by irving47 · · Score: 2, Interesting

    I'll make you a deal. Pass ONE law about cybersecurity. Make it illegal to run an open relay mail server. See if you can enforce it. We'll know if it works if spam decreases.. If you can, and it does, you can pass another law. See if you can enforce that, too. Then we'll talk.

    (see you sometime in 2036)

    --
    I had a sucky sig.
  18. Homeland Security got an F in Computer Security... by feloneous+cat · · Score: 2, Interesting

    Yup. It can be read right here Computer Security Report Card

    Is this a case of the blind leading the sighted?

    --
    IANAL, but I've seen actors play them on TV
  19. Is there no end to this man's greed? by Jerry · · Score: 4, Interesting

    It is appropriate that this 'report' was released on April 1st. Halloween would also have been appropriate. Here is what it will do:

    1) Give M$ a shield from responsibility for the massive insecurity of their software by making a 'security organization' the accountable party. "Software companies" (i.e., mainly M$) would fund the company. The security organization would lay down rules about how bugs and holes are discovered (not a certified programmer? -- then you can't look for/report bugs. See the story of the French scientist who is being sued for pointing out vulnerabilities.), how they are reported (no public reports at all until the patch, if ever, is released, then no announcement as to how long the bug/hole has been open), and how they are released -- through 'special' sites, for a fee, of course, so that the consumer pays even more for M$ bugs.

    2) Require programmers to get "security certifications" from "accredited" schools. These are schools which have received funds (guess from whom) to finance/"reward" faculty members who establish such programs. Guess which OS will have certification programs, and which won't be allowed on campus. (Just ask youself which platforms aren't allowed equal billing with Windows on Dell computers.) Programs written by "uncertified" programmers will not be allowed distribution through 'certified' channels. Uncertified channels will be made illegal.

    3) No answers as to which programmers gets 'grandfathered' in but the entire MS programming staff would be a good guess.

    4) Independent Software Vendors (ISV's ---i.e., OpenSource folks) will have to meet requirements which are, in effect, designed to keep them from developing software drivers for new hardware, effectively locking them out of future markets.

    Microsoft, the BSA (enforcement arm of MS licensing), and other companies with less than desirable security records would then use the courts to completely muzzle news of the vulnerabilities in their software. With that accomplished they can essentially shut down their repair operations and move the whole program into the public law enforcement arena, using local and national law enforcement agencies as their "security repair" division. Just remember that French scientist who was sued as a 'terrorist' for revealing security holes in software which the vendor claimed in their ads was "100% secure". This will be in no way different than what coal mine owners did in their efforts to keep slave labor trapped in their mines, but this time it will be consumers trapped into using buggy, insecure software with no alternatives. The end result is that the software will get worse because the incentive to repair is removed and will become more expensive because there will be no Open Source competition.

    The current crop of "Security Organizations", most of whom have already knuckled under to Microsoft, will not be needed in the "New Order", but I'll wager most of them haven't figured that out yet and are probably jumping on the bandwagon because they have, like so many companies Microsoft has deflowered and plundered, visions of increased revenues as Microsoft 'partners' in this new scam.

    The 'security problem' doesn't need a 123 page report to identify the security problem and create solutions for it. The problem is Windows. The solution is for Bill Gates to spend some of his $50 Billion to fix the code, not buy off congressmen and judges and make their problem a law enforcement issue at the public's expense. Is there no end to this man's greed?

    --

    Running with Linux for over 20 years!