Slashdot Mirror

← Back to Stories (view on slashdot.org)

Do We Need a Sarbanes-Oxley for The Internet?

Posted by Cliff on from the more-regulation dept.

An anonymous reader asks: "Since 2002, corporate executives have been held accountable through the Sarbanes-Oxley Act (SOX) for their own internal IT security (with heavy fines and even prison terms when SOX isn't complied with) despite the fact that this level of accountability doesn't exist for some critical elements of the internet. Is it high time for industry to collaborate on a stringent security doctrine to hold organizations accountable for operating, providing and commercializing Internet service, in effect a Sarbanes-Oxley Act for the Internet?"

6 of 54 comments (clear)

  1. Short answer by truthsearch · · Score: 5, Insightful

    NO!

    I spent 10 years in IT of the financial industry. The day SOX got passed everything went downhill. The problem is that it's more about accountability that actually doing things right. Now I can't blame the law for that. The law makes lots of sense. But the way companies handle it adds 100 times the overhead and even more technical problems. Entire systems are built so there's a "signiture" of approval and record of every little thing. People are so busy making others accountable (basically flowing both uphill and downhill) and no one takes accountability for their own actions and quality of work goes way down. What happens in the company is whatever intrisic trust there was between coworkers disappears. All the company wants and needs is the paper trail. Cost of the service goes up while quality goes down.

    So while we want some accountability, and IT version of SOX is not the way to go. There are other good reasons, but this is one I'm personally experienced with. It's among the reasons I left the financial industry 2 months ago.

    --
    Developers: We can use your help.
    1. Re:Short answer by truthsearch · · Score: 4, Insightful

      The idea was to hold the right employees accountable when regulations or laws are broken within a company. It's a response to Enron and WorldCom.

      The problem with doing this with the internet is its built-in distribution of responsibilities across many companies. If I get a virus do we audit my ISP, the company that built the routers, the telecom company that owns the wiring, the source's ISP, the developer of the virus (who's rarely found), the developer of the OS, server admins?

      Within one company it's relatively easy to trace responsibility. Over the internet there would be many debates, very costly audits, and rarely prosecutions.

      --
      Developers: We can use your help.
  2. Typical Crap by bsdbigot · · Score: 4, Insightful

    Yes, obviously the answer to EVERY problem about the Internet is more laws on the books. The scary thing is, with things like SOX, we spend more money and time on bureaucracy than fostering an environment which would preclude the need for SOX in the first place. Instead of criminalizing bad conduct, why doesn't the government try to encourage could conduct by, say, granting tax relief for companies that are fully SOX compliant instead of prosecuting executives that fail to make this happen. That would encourage good behavior far better than turning people off to being in business in the first place.

    Think about it - let's say you're Bill Gates or Scott McNealy; would you really want to be in a position where failure to do your job correctly would result in jail time? SOX is stupid for exactly this reason.

    Now, translate that to the internet. You are a webmaster, and because you didn't install NT4SP26 on your IIS farm, you could face 20 years in jail. Utter bullshit. Let's kill this idea before it gets any momentum!

    --
    main(){char I,l,O[]={'-',1-1,0,(1<<5)-1,0+'-',-10-1,-10,11-0,- 1,-100};for(I=l=0;l<10+0;put
  3. Security is a process not a project by NoSuchGuy · · Score: 4, Insightful

    As a CEO you can't start a project called "Let's get secure!" and expect to be immune to all threats.

    Security isn't a one time spending.

    You can't spend 2 times the amount of X Dollars and expext to be 2 times more secure than spending only X Dollars!

    Security is a process.
    Security is a process.
    Security is a process.
    Security is a process.
    Security is a process.
    Security is a process.

    You have to rethink everthing everytime.
    Security nees a steady budget.

    --
    Grundgesetz * 23. Mai 1949 - 30. November 2007 - http://www.vorratsdatenspeicherung.de/
  4. Death knell for amateur computer science... by Leadhyena · · Score: 4, Insightful
    It's inevitable... the government will demand for accountability of all actions on the internet. Run with me on this argument before you call me chicken little, and you will see the slippery slope that we're treading upon. Already the internet has entered case law and precedent has been set in many situations. Congress has also made some laws over actions on the net, and they plan to do more. It's only a matter of time until the whole thing gets regulated.

    And what does this imply? Well, for starters it'll require something like a SOX regulation; while it won't demand packet sniffing per se, it will demand that source and destination ip addresses, MAC addresses, and ports be logged, so that people who release viruses/trojans/spyware/spam et. al. can be held accountable. Then anyone running a "web service" may be required to take logs of activites (to be used in investigations of fraud or terrorist activities), so that authorities may request these materials upon subponea.

    And even then it won't be enough to stop identity theft, copyright infringement, and other criminal activities on the net. That when Congress will come to the "realization" that programming is what makes everything on the net possible, and finally demand that programmers be held accountable for their code. That will be the death-knell of amateur computer science, for you won't be permitted to write a program and run it on an internet-enabled computer without having to take responsibility for that program's actions, limiting one's recreational programing to toy computers and sandboxes. It will progress to the point where it will be "impossible" for a programmer to take responsibility for writing something on the internet, because he/she cannot afford the insurance that he/she will have to take out to cover the insurance necessary to protect themselves from programming lawsuits when a program they authored is used to perform evil actions.

    Obviously some people will have to be allowed to program on the net everyday, to patch programs that users find bugs in or black-hats find exploits in. The only way for these programmers to obtain programming insurance is to partake in several programming certification classes in order to obtain a license to program. Maybe I'm being paranoid, but this seems to be the logical extension of the government's desire to determine accountability for all activities towards the internet.

  5. Who are you regulating? by rnxrx · · Score: 3, Insightful

    SOX deals with accountability within US corporations. It doesn't speak to the operations of companies outside the US. Attempts by particular countries to legislate the Internet have historically been ineffectual at best. This would be no exception.