White House Tackling the Economics of Cybersecurity

GovTechGuy writes "White House Cybersecurity czar Howard Schmidt will be hosting a meeting Wednesday with the Secretaries of DHS and Commerce in which he is expected to discuss the administration's new attempt to change the economic incentives surrounding cybersecurity. Right now, launching attacks on private companies is so cheap and relatively risk-free that there's almost no way that industry can win. The White House could be considering things like tax incentives, liability and insurance breaks, and other steps to try and get companies to invest in protecting their networks. It's also likely to dovetail with a step up in enforcement, so hackers be wary."

who gives a fuck?

they'll still fuck us on the taxes anyway they can.

Re:who gives a fuck?

[Jawnn]

You mean like how, last year, they lowered taxes for most Americans for the first time in generations? May I suggest that you find a better source (several would be good) for your information about how your government operates?

Re:who gives a fuck?

[mldi]

Define "lowering" taxes. Are you considering the total tax burden, or just personal income tax? Yeah, I thought so.

Also, "lowering" taxes doesn't do any good if you don't cut spending, anyway.

Insurance?

[Monkeedude1212]

I mean, an insurance company won't insure your house if you don't put a lock on the door, so why should anyone care for cyber-security if a company doesn't take any measures to protect itself?

If you've got a network worthy of necessary security, it's not that hard to set up a linux firewall between your router and your gateway.

Re:Insurance?

[MrEricSir]

So we should have insurance for security breaches? How would that even work?

Re:Insurance?

[stanlyb]

So, are the Insurance Companies going to be the FIRST ones with enforced door locks???

Re:Insurance?

[Haffner]

Why should anyone care? Because that company is not the only victim if their weak network becomes compromised. Their customers are at risk, and likely won't ever know what happened to their compromised data. Also, hacked company networks could be used to run botnets. The company at fault is rarely the only victim of lax security policy.

Re:Insurance?

[shentino]

That's called liability insurance.

Re:Insurance?

[Monkeedude1212]

I wasn't suggesting that - but it seems like we're paying people to try and lock their door, I don't remember any Tax break for putting locks on my door, even if my house was filled with other people's personal info.

So, if an Insurance company won't insure someone because they don't put forth the effort to show they even want their stuff protected, why should Tax payer dollars support people who never cared to protect it in the first place?

As an optional incentive, it seems pointless. Corporations will claim they set up security in order to save on taxes.

Re:Insurance?

[ubrgeek]

> I don't remember any Tax break for putting locks on my door,

We get a break on our insurance for having an alarm on the house. And some insurance company's commercial says they'll give you cash back or a discount or something for having an accident-free driving record.

No.

so hackers be wary

No my lilly livered money grubbing ass-hat bureaucratic friends, you should be wary. Keep passing bull-shit legislation, cancelling programs in NASA, bailing out the corrupt, approving assassination of Americans, and the hackers will turn to the politicians and megacorps, once the people and small business have been robbed fucking blind and hogtied into submission.

fix the banks

[Lord+Ender]

The major targets of hackers these days are financial in nature: account numbers or systems authorized to perform wire transfers.

The real solution to security is not to give companies more incentive to secure their information, but to give hackers less incentive to hack. Make a standard, PKI-based, government-regulated solution for financial transactions. Require that all transactions be digitally signed by smart cards, for example. Ensure that someone possessing your account numbers or even your passwords could not use them to transfer money from your account.

It sounds like they are going after the wrong incentives right now...

Re:fix the banks

[naz404]

How about government need to start nationwide cybersafety campaigns to be taught in schools, offices and governments? This would go a long long way in stopping cybercrime, malware and tons of shenanigans and would be cost-efficient in the long run.

Re:fix the banks

[shentino]

ZOMG MARK OF THE BEAST MARK OF THE BEAST!!!1!!

Seriously, do you know how many tin foil hatters would scream bloody murder if the government even tried something like that?

Re:fix the banks

[stanlyb]

What? You wanna every single individual to have secure, encrypted and independent communication channel??? Just forget it, in fact, the government wants you to be scared and afraid, and thus more "manageable".

Re:fix the banks

[PopeRatzo]

the government wants you to be scared and afraid, and thus more "manageable".

The "government" only wants what the corporations that own it tell it to want.

You talk about the government as if it was some kind of independent entity that exists outside of the power-bubble of transnational corporations. Since at least 1980, there has not been such an entity.

Re:fix the banks

[MoeDumb]

Moreover, any czar clueless enough to suggest 'tax incentives' (cuts!) will find himself spending more time with his family before the week is up.

1st step

[naz404]

First things first. I propose that the U.S. government tap the creative forces of the 4chan, worth1000 and Fark Photoshop communities for a cost-effective and highly creative solution to replace the godawful uninspiring motivational posters being distributed by the United States Office of the Director of National Intelligence, Office of the National Counterintelligence Executive :

Check 'em out here: http://www.ncix.gov/publications/posters/index.html

"ONCIX does not provide printed copies of our posters. These materials are NOT copyrighted, and you are welcome to download, print, and disseminate our posters freely to promote greater counterintelligence awareness."

Re:1st step

[Haffner]

If 4chan were satirizing spy posters, I think that those would fit right in.

Re:1st step

[Kvasio]

why?

I liked http://www.ncix.gov/images/publications/posters/hanssen_poster_100.jpg ;-)

Comrades!

[cosm]

So the moral of this story is as follows: those too ignorant and lazy to secure the networks they provide will suffer, and those who subscribe / utilize those networks will suffer even more. Those who point out the errors and vulnerabilities in said networks will be labeled 'teh evil haxors' and face prosecution. Those who secure their networks will receive taxpayer dollars.

So now the assbag super-telcos that have been to lazy to adequately secure their infrastructure have a legitimate reason to upgrade. The taxpayers are funding it!

Two words: CyberMonkey ArmyCorps!

[countSudoku()]

Why are we still trying to do this job with inefficient humans! We just need one good CyberMonkey Officer to train the rest of the Corps, and viola! Peace through superior MonkeyPower!

Right

[chris+mazuc]

Anything with the word cyber in it is automatically bullshit as far as I'm concerned, so lets dig a little deeper. Who is coming to this meeting?

Among those invited is Larry Clinton, president of the Internet Security Alliance, which represents a range of critical private security industries concerned about cybersecurity.

Ah, the Internet Security Alliance. And who do they represent? No major software or hardware companies are listed. (Symantec doesn't count) Funny enough, I see companies like Raytheon, Boeing, and Lockheed Martin. I'm just speculating (you know, this being /. and all), but something tells me the good ol' boys of the defense industry are trying to get another gravy train started up here.

Re:Right

[e9th]

Well, based on their publication Social Contract 2.0: A 21st Century Program for Effective Cyber Security, p. 29 (.PDF)

For example, an anti-virus vendor who might report a lot of C2 URLs based on all the malware could become upgraded to a they get would be Platinum Certified Threat Reporters. A large company with robust internal capabilities might be achieve Gold level.

they certainly don't represent speakers of coherent English.

Re:Right

[rfelsburg]

Why would this be modded off topic? It's a valid point, I certainly want someone who can write a coherent document in their specialty, protecting critical sensitive data. Not these idiots who seem like they are just picking buzz words and filling in the gaps madlibs-esque.

Re:Right

[moeinvt]

"Anything with the word cyber in it is automatically bullshit as far as I'm concerned . . ."

AFAIC, anything coming out of Washington D.C. these days is automatically bullshit. Screw the White House and their cyber-security crapola.

There are some very intelligent, knowledgeable people in academia and the private sector working on computer security issues. I'm open to discussion, but I question the basic role of government in this arena. Furthermore, I'm certain that whatever laws, madates, Presidential orders etc. that come from THIS government will be detrimental to individual liberty and/or a boon for wealthy special interests at the expense of the taxpayer.

how about getting off of windows? to bad OS/2 died

[Joe+The+Dragon]

how about getting off of windows? to bad OS/2 died as why is the hole filled windows have to run on ATM's?

if getting of windows is to hard about the fixing the apps with big security holes in them / apps that need admin mode to run.

Perfect!

[casings]

I love this idea!

If the companies take taxpayer money to secure their networks and their networks become compromised, does that mean we (the taxpayers) get to sue for breach of contract?

Re:how about getting off of windows? to bad OS/2 d

WHAT?!

Re:how about getting off of windows? to bad OS/2 d

[casings]

I see you are still working on your mastery of "of/off." I would keep practicing your "to/too" though.

Incentivizing Good Behavior

[Doc+Hopper]

I think this is a step in the right direction. In the US, we've long faced problems with trying to figure out how to incentivize good behavior, rather than simply discouraging the bad. Yet one of the largest problems facing down the threat of hacking and corporate espionage is acknowledging when there's been a breach. Nobody wants to admit it!

My dad used to call an approach of rewarding appropriate behavior and non-rewarding inappropriate behavior as the "carrot and stick" approach: dangle the carrot, if they don't go along, whack 'em with the stick!

My thoughts on a few carrots we could use at the federal level:
1. Certification process for government contractors. A security-certified contractor can get preferential placement on government contracts on the point scale already in place.
2. Exploit awareness networking. Implement a real-time scorecard for corporations that report attacks against them, both those foiled and those in which there was a breach. Once again, apply good behavior credits toward the contract bidding process.

Sticks:
A. Mandatory public service for convicted attackers. And I'm not talking about cleaning up the garbage in Central Park. I'm talking about the sentence for hacking a company is mandatory time spent serving that company. I mean, if I hacked the Wendy's network and had to spend a few months dumping out their grease-buckets, I might think twice next time.
B. Incentivize whistleblowing with rewards for people who turn their companies in. Now, this might sound a little bit 1984-esque, but if there were a tangible reward and promised anonymity, I think we'd find employees and competitors working very hard to learn if the target company was hacked or not.

Just a couple of random musings. What other carrots & sticks could we use?

Re:Incentivizing Good Behavior

[casings]

I would actually argue that certifications are one source of the problem right now.

Re:Incentivizing Good Behavior

[Doc+Hopper]

Sure, on the side of the people doing the security stuff. But audits for compliance with regulations is really the minimal standard applied at my work -- a VERY large software company -- and little else. If there's no financial repercussion for lack of a security implementation, that thing is never, ever put in. Not even if it's "best practice". If we have to have it, good, put it in, but if we don't absolutely have to, the security request rots forever in the hell of a planned upgrade some day.

We recently had a project that was like that. Five planned phases. Phases three and four had a major focus on security implementations. Well, they did Phase 1, the rollout, and Phase 2, the integration with other apps, then the next thing everybody heard we were at Phase 5, showing this off as a showpiece of integration. When I called the vice-president to complain about this, his response was basically "we'll get around to it, it's not a problem."

Welcome to modern large-scale software design. If you aren't legally required to have some certain bit of security in place, with financial repercussions for violation, it isn't happening. And it's not the software company that suffers in the case of a breach; it's the privacy and security of the innocent people USING that service.

Re:Incentivizing Good Behavior

Umm... how is working as an unpaid employee of a for-profit company "public service"? It seems you have things so horribly confused, you might actually be qualified for an executive-branch job fighting cybercrime -- possibly as high as assistant cysec czar.

Anyway, if the problem is nobody reporting breaches, the obvious solution is to have reduced/limited liability for the consequences of those breaches if they are promptly reported, otherwise let the class-action lawyers have their ass for lunch when it does come out.

Re:Incentivizing Good Behavior

[mister_dave]

I remember Cringely suggesting that Microsoft got serious about security when they perceived their 'insecure software' reputation as a marketing problem.

I wouldn't expect gov't regulations to be any magic pill. They tend to become box ticking exercises, rather than proactive measures.

Simpler Fix

[copponex]

Require banks to pay for every single breach that is their fault. Right now, it's the merchants who get screwed. If someone walks into one of the retail outlets I consult for with a fake ID, matching fake credit card, and walks out with the merchandise, 9 times out of 10 there is some obscure rule that wasn't followed that will allow the cardholder to get their money back, and the bank to get their money back, leaving the merchant with the option to take cash only or take the hit and continue doing business. "Cybercrime" -- or as I like to call it, 21st Century Crime -- only gets worse from here.

This is free market capitalism at it's finest, where the costs always find their way to the entity with enough money to pay the bill, but not enough to fight the system that forces them to pay. Unfortunately, the government not giving two shits about small businesses has been old news for some time. Hopefully people are going to wise up and realize that you don't do away with the government, just the lobbyists and corporate revolving door that is currently ruining it.

Re:Simpler Fix

[PopeRatzo]

Require banks to pay for every single breach that is their fault. Right now, it's the merchants who get screwed.

Well, of course it's not going to be the banks that get screwed. Since September of 2008, we've seen the US government raid the treasury and borrow a couple of trillion dollars just to protect banks from having to face the losses arising from their own greed. The corporate holding companies that own banks are the government. It's never, ever going to be the banks that are responsible for their actions.

Last month there was legislation before Congress that would make banks just a teensy, weensy bit responsible, and every, single Republican, and a few wholly-owned Democrats voted against it, effectively shielding the banks for at least another generation.

Get used to it. There was a small window when things might have changed in this regard, but lobbyists for the banking industry spent nearly double what the health insurance industry spent to protect their sinecure against socialized medicine. And the insurance companies are pikers compared to the banking industry. If a politician comes to Washington intending to change the power structure, the bank holding companies will crush the life out of him faster than you can say "Barack Obama" and turn him into an object lesson so any future would-be office holder won't even consider trying to change anything.

strike up the

[nimbius]

military complex and start banging the drums, its time for another cyberwar/security/terror/fud article. This is just information security with a shiny new name

Make them liable

[yuna49]

I'm amused this appears on the same page as the discussion about liability for breaches. We all know that enforcing large, public, and expensive fines is the only solution that corporations will pay any attention to. In fact, why not make CIOs (and CEOs?) personally liable.

Re:how about getting off of windows? to bad OS/2 d

I am truly amazed that you managed to mangle the english language so incredibly badly in such a short post.

My GL Insurance Already Requires This

For the last 2 years, my corporate general liability insurance has required some level of network and computer systems security in the contract. The problem is that those contracts are signed by people who don't know anything about network or computer systems security and they "assume" their IT department are doing all of it without asking them.

Realistically, the requirements are just a checklist for most things you should already be doing ... except there was one requirement that didn't make sense in our environment at all. Whatever. That's the great thing about requirements, they only make sense some of the time, maybe even most of the time, but not ALWAYS. For example, requiring that all desktops run antivirus software makes perfect sense with MS-Windows, but not in a Linux-only company like mine. We don't have any Microsoft or Adobe (not even flash) or Apple software, so exactly how are we going to get infected with a virus? The company doesn't own any desktop or laptops since our engineers wouldn't like it anyway. Each person is responsible for their personal computer and the security of it.

We don't hire people that don't know how to secure a PC and if they do need help, we load Linux, setup remote key-based access and add their system to our weekly maintenance job. Simple. Done. If only my Mother would go for this, then I'd be happy.

Leave it to the Market

If companies were at risk of "cyber-attack", they'd take appropriate precautions. If they're not at risk, they wont; it's a waste of money.

If it was feasable to attack corporations for profit, people would be doing it. if it's not, they wont try.

"Right now, launching attacks on private companies is so cheap and relatively risk-free that there's almost no way that industry can win"
If that were true, then companies would be getting ransacked right now. ... and yet, it's business as usual.

The market forces are in balance. Therefore; corporations already have the appropriate level of security.

Just an excuse for more government controll.

Lower taxes?

[admintpj]

When is the government going to lower taxes? It certainly won't be in this lifetime....

Might end up in job creation though MonkeeMan...

"Corporations will claim they set up security in order to save on taxes" - by Monkeedude1212 (1560403) on Monday July 12, @05:45PM (#32879486)

That's when jobs for AUDITORS come into play: In order to get the tax break bennies, they'll have to pass an audit, & that means job creation (hopefully) for all of your basic "techie-security" types that have been put out of jobs by this recession... & the ONLY WAY OUT OF THIS RECESSION IS TO CREATE DECENT PAYING LONG-TERM JOBS "for the masses" (because once you get folks spending? They're helping Peter pay Paul, who pays (insert name here)" & eventually, this comes back to YOU also).

Tools that make THIS part of the job easier?

There's automated good tools for it, like CIS Tool -> http://www.computerworld.com/s/article/9018362/CIS_tool_aims_to_help_federal_agencies_check_Windows_security_settings or Microsoft's Baseline Security Analyzer 2.1 -> http://www.microsoft.com/downloads/details.aspx?familyid=f32921af-9dbe-4dce-889e-ecf997eb18e9&displaylang=en (for starters, @ least, for analyzing SERVERS & WORKSTATIONS - for coding practices? You need solid DBA's & coders!).

APK

P.S.=> Some companies are REAL PRICKS about this though... How do I know this? Ok:

Back in 2006, I worked for a pretty major self-insurer. I pointed out they had security issues, because I was hired to secure their code (VB.NET/ASP.NET done via Visual Studio 2005, talking to SQLServer 2005), which was all "fine & good", except their end-node points like printers & PC Workstations weren't fully secured (to the point where I found out the THEN network administrator/CIO had setup Trend Micro AntiVirus SO WRONG, it was 7++ months OUT OF DATE & not updating on workstations etc.), & more in their network itself that needed shoring up as well!

So, what happened?

Heh, they FIRED me (after I delivered 7 working programs over a 10 month period no less)... I could not believe it. Heh, they even tried to accuse me of "hacking their network" & I did NO SUCH DAMN THING (this really, REALLY pissed me off in fact). However, I pointed out, verbally to the CIO in fact, just how/where/when/why how it MIGHT happen though, but, that's NOT 'hacking/cracking' their network... far from it!

This is "how it goes" when you try to do "the right thing" & it's just pointing out that the personnel in place are either 1.) NOT DOING THEIR JOB or 2.) INCOMPETENT (take your pick)... you get "smoked" for it!

I was told "pick your battles more wisely" & I just said "this is NOT a 'battle', it's pointing out the other 1/2 of what you hired me on for, which goes BEYOND just coding & ensuring app use Stored Procedures + managed code etc.". In the end it was their loss, and the 2 guys that fired me?

They MUST have gotten "busted" for this, because they were "GONE WITH THE DAWN" shortly after I was unjustly terminated... serves those 2 bastards right, imo! apk

A joke

[fulldecent]

Preparedness for cyber attacks is currently a joke. I have experience in cooperating with the FBI, SEC, and FINRA to address vulnerabilities at online banks and stock brokers. Is anyone aware of companies or agencies that are hiring in this line of work that I could apply to?