Slashdot Mirror


Tech Companies Ask U.S. to Regulate Cyber Security

qtp writes "Wired reports that a group called the National Cyber Security Partnership, which consists of 'leading software companies' including Microsoft and Computer Associates and industry organisations such as the BSA, has asked the Department of Homeland Security to regulate what they call 'Cyber Security'. Representatives from Microsoft, Computer Associates, and the BSA headed the Security Across the Software Development Cycle Task Force that submitted this report to the Bush administration today. (For all of you who dread reading 123 page reports, there is a three page summary available as well. The Washington Post, Forbes, and Other Sources are covering this story as well. I hope this is just another [late] April Fools Day joke, but I'm afraid that this looks too scary to be real."

8 of 371 comments (clear)

  1. Smells like a replay of the AT&T monopoly by A+nonymous+Coward · · Score: 5, Interesting

    Back in the early 1900s, there used to be a ton of independent phone companies. In spite of using different voltages, ringing systems, etc, they interoperated pretty darned well. But AT&T wantd to be big and was buying them up, and those who wouldn't sell were effectively isolated, the main excuses being interoperability problems. The stink began getting stronger, and eventually AT&T got the government to regulate it as a utility, so it could remain intact and simply be THE phone company. Only the ignorant think regulation was imposed on AT it was their idea.

    This smells to me of the same process. Being sued for security holes would be much more effective at increasing security than some hare-brained government regulation scheme. After having thought up all those EULAs which disclaim all responsibility, and blustered about Linux having no-one responsible, this is just another big corporate scheme to maintain their power and squash the small guys, and place the blame elsewhere.

    The proper way to improve security is invalidate all those EULA disclaimers. A few big lawsuits with billions in damage verdicts would do far more to focus Microsoft's attention than any government regulatory body.

    1. Re:Smells like a replay of the AT&T monopoly by MrAngryForNoReason · · Score: 5, Interesting

      You make a good point about affecting large corporations wiht lawsuits, but who gets sued when my linux server gets hacked?

      In order to claim damages in such a lawsuit you would have to prove that the company in question knew about a vulnerablilty and didn't fix it. Therefore showing negligence on the part of the company.

      To apply this to OSS you first need to distinguish between free and Free software. If the linux distro you were using was Open Source but commercial, meaning you paid money for it, making it Free (as in speech) but not free (as in beer) then the same rules would apply. They would be responsible for damages if they knew about a vulnerablility but didn't patch it.

      If the software was free (as in beer) then the developers shouldn't be held responsible for any flaws in the software. There is no contract between you and them, they have not promised you anything by allowing you to use their software free of charge.

      By making this distinction you make commercial OSS software developers equally liable for negligence without opening up small OSS projects to litigation they have no chance of surviving.

      This is of course all hypothetical as at the moment no software companies accept any responsibilty for flaws in their software. And of course IANAL.

  2. um... its April 2nd guys... by Shirov · · Score: 5, Interesting

    The process sub-group will work with major software vendors and key critical infrastructure customer organizations to encourage and aid vendors in their adoption of the recommended low defect, higher security-oriented practices and processes.

    Wouldnt it just be easier to pass laws making software vendors responsible for the bugs that they produce instead of spending our tax money to provide a shelter for insecure code?

    I can see the next big M$ lawsuit...

    Plaintiff: Their buggy code cost us millions.

    M$: But we follow the homeland security software development model.

    Judge: So the software must be good. Perhaps the plaintiff was trying to do something illegal?

    Plaintiff: Shit... *sigh*

  3. What's the fuss? by Aardpig · · Score: 5, Interesting

    Sure, Microsoft and the BSA aren't the bosom buddies of most Slashdot readers. And for good reason. However, a quick look through the 3-page summary document revealed what seemed to be a reasonable plan of action, rather than a scheme for total world domination.

    Of course, if it turns out that the outcome of the regulation process is Microsoft-controlled security protocols and procedures, then there's something to beef about. However, at this early stage I see nothing more than an attempt to codify a national stance on computer security. Accordingly, I'm going to leave my tinfoil hat in its box for the moment.

    --
    Tubal-Cain smokes the white owl.
  4. Help, Help, we might get sued! by lucifuge31337 · · Score: 5, Interesting

    Quote from the Washingtonpost.com article:
    "[It] is possible that national security or critical infrastructure protection may require a greater level of security than the market will provide," it said. "Any such gap should be filled by appropriate and tailored government action that interferes with market innovation on security as little as possible."

    In other words, "The legal climate is such that we are very likey to start getting sued for coding sloppy, insecure software. Rather than properly staffing to test our code, we'd rather have the taxpayers pay for this. This a.) saves us money and b.) puts the responsibility on someone other than us if there is a security problem."

    --
    Do not fold, spindle or mutilate.
  5. Re:Business calls for U.S. help in Net security by Tenebrious1 · · Score: 4, Interesting

    "The report says programmers should be held personally accountable for security holes in the software they write." Now we see, a shift of responsibility, to the programmers.

    Ok, if they want to make me "accountable" for the code I write, then they better transfer ownership, legal rights, and any profits derived from that code back to me. If they say "it's our code" and "you get no extra cash for writing it" then they can damn well take responsibility for what the code does.

    --
    -- If god wanted me to have a sig, he'd have given me a sense of humor.
  6. Seems pretty simple to me... by Glamdrlng · · Score: 4, Interesting
    I hate it when corporate agendas are this obvious, it makes me think I'm missing something, but I can't discern it from the obvious scheming. The crafty and subtle plot gets obfuscated by the blatant one.

    Let's see if I got this right...

    1. Distribute a development platform called .NET that allegedly does away with insecure coding practices.

    2. Influence laws and regs such that any software not coded on a "secure platform" such as yours is illegal.

    3. Let the feds regulate your competition out of existence.

    4. Profit!

    If this comes about, the only way F/OSS software will survive in the US is if both a Linux distribution and a Linux development platform can be constructed that will meet the same requirements that the conglomerate is pushing for. Of course, we're screwed with a capital F if the regs call for technology that Microsoft (or one of the other member companies) has patented.

    So I guess now it's "If you can't innovate, litigate... unless of course you have political influence, in which case, regulate!"

    --

    Yes, my only tool is a hammer. And you're starting to look like a nail.
  7. Is there no end to this man's greed? by Jerry · · Score: 4, Interesting

    It is appropriate that this 'report' was released on April 1st. Halloween would also have been appropriate. Here is what it will do:

    1) Give M$ a shield from responsibility for the massive insecurity of their software by making a 'security organization' the accountable party. "Software companies" (i.e., mainly M$) would fund the company. The security organization would lay down rules about how bugs and holes are discovered (not a certified programmer? -- then you can't look for/report bugs. See the story of the French scientist who is being sued for pointing out vulnerabilities.), how they are reported (no public reports at all until the patch, if ever, is released, then no announcement as to how long the bug/hole has been open), and how they are released -- through 'special' sites, for a fee, of course, so that the consumer pays even more for M$ bugs.

    2) Require programmers to get "security certifications" from "accredited" schools. These are schools which have received funds (guess from whom) to finance/"reward" faculty members who establish such programs. Guess which OS will have certification programs, and which won't be allowed on campus. (Just ask youself which platforms aren't allowed equal billing with Windows on Dell computers.) Programs written by "uncertified" programmers will not be allowed distribution through 'certified' channels. Uncertified channels will be made illegal.

    3) No answers as to which programmers gets 'grandfathered' in but the entire MS programming staff would be a good guess.

    4) Independent Software Vendors (ISV's ---i.e., OpenSource folks) will have to meet requirements which are, in effect, designed to keep them from developing software drivers for new hardware, effectively locking them out of future markets.

    Microsoft, the BSA (enforcement arm of MS licensing), and other companies with less than desirable security records would then use the courts to completely muzzle news of the vulnerabilities in their software. With that accomplished they can essentially shut down their repair operations and move the whole program into the public law enforcement arena, using local and national law enforcement agencies as their "security repair" division. Just remember that French scientist who was sued as a 'terrorist' for revealing security holes in software which the vendor claimed in their ads was "100% secure". This will be in no way different than what coal mine owners did in their efforts to keep slave labor trapped in their mines, but this time it will be consumers trapped into using buggy, insecure software with no alternatives. The end result is that the software will get worse because the incentive to repair is removed and will become more expensive because there will be no Open Source competition.

    The current crop of "Security Organizations", most of whom have already knuckled under to Microsoft, will not be needed in the "New Order", but I'll wager most of them haven't figured that out yet and are probably jumping on the bandwagon because they have, like so many companies Microsoft has deflowered and plundered, visions of increased revenues as Microsoft 'partners' in this new scam.

    The 'security problem' doesn't need a 123 page report to identify the security problem and create solutions for it. The problem is Windows. The solution is for Bill Gates to spend some of his $50 Billion to fix the code, not buy off congressmen and judges and make their problem a law enforcement issue at the public's expense. Is there no end to this man's greed?

    --

    Running with Linux for over 20 years!