Slashdot Mirror

← Back to Stories (view on slashdot.org)

White House Tackling the Economics of Cybersecurity

Posted by Soulskill on from the security-through-red-tape dept.

GovTechGuy writes "White House Cybersecurity czar Howard Schmidt will be hosting a meeting Wednesday with the Secretaries of DHS and Commerce in which he is expected to discuss the administration's new attempt to change the economic incentives surrounding cybersecurity. Right now, launching attacks on private companies is so cheap and relatively risk-free that there's almost no way that industry can win. The White House could be considering things like tax incentives, liability and insurance breaks, and other steps to try and get companies to invest in protecting their networks. It's also likely to dovetail with a step up in enforcement, so hackers be wary."

9 of 47 comments (clear)

  1. Insurance? by Monkeedude1212 · · Score: 3, Interesting

    I mean, an insurance company won't insure your house if you don't put a lock on the door, so why should anyone care for cyber-security if a company doesn't take any measures to protect itself?

    If you've got a network worthy of necessary security, it's not that hard to set up a linux firewall between your router and your gateway.

    1. Re:Insurance? by Monkeedude1212 · · Score: 3, Insightful

      I wasn't suggesting that - but it seems like we're paying people to try and lock their door, I don't remember any Tax break for putting locks on my door, even if my house was filled with other people's personal info.

      So, if an Insurance company won't insure someone because they don't put forth the effort to show they even want their stuff protected, why should Tax payer dollars support people who never cared to protect it in the first place?

      As an optional incentive, it seems pointless. Corporations will claim they set up security in order to save on taxes.

  2. fix the banks by Lord+Ender · · Score: 3, Interesting

    The major targets of hackers these days are financial in nature: account numbers or systems authorized to perform wire transfers.

    The real solution to security is not to give companies more incentive to secure their information, but to give hackers less incentive to hack. Make a standard, PKI-based, government-regulated solution for financial transactions. Require that all transactions be digitally signed by smart cards, for example. Ensure that someone possessing your account numbers or even your passwords could not use them to transfer money from your account.

    It sounds like they are going after the wrong incentives right now...

    --
    A slashdotter who didn't build his own computer is like a Jedi who didn't build his own lightsaber.
    1. Re:fix the banks by shentino · · Score: 4, Insightful

      ZOMG MARK OF THE BEAST MARK OF THE BEAST!!!1!!

      Seriously, do you know how many tin foil hatters would scream bloody murder if the government even tried something like that?

    2. Re:fix the banks by stanlyb · · Score: 2, Funny

      What? You wanna every single individual to have secure, encrypted and independent communication channel??? Just forget it, in fact, the government wants you to be scared and afraid, and thus more "manageable".

  3. 1st step by naz404 · · Score: 2

    First things first. I propose that the U.S. government tap the creative forces of the 4chan, worth1000 and Fark Photoshop communities for a cost-effective and highly creative solution to replace the godawful uninspiring motivational posters being distributed by the United States Office of the Director of National Intelligence, Office of the National Counterintelligence Executive :

    Check 'em out here: http://www.ncix.gov/publications/posters/index.html

    "ONCIX does not provide printed copies of our posters. These materials are NOT copyrighted, and you are welcome to download, print, and disseminate our posters freely to promote greater counterintelligence awareness."

    --
    http://www.object404.com
  4. Right by chris+mazuc · · Score: 4, Insightful

    Anything with the word cyber in it is automatically bullshit as far as I'm concerned, so lets dig a little deeper. Who is coming to this meeting?

    Among those invited is Larry Clinton, president of the Internet Security Alliance, which represents a range of critical private security industries concerned about cybersecurity.

    Ah, the Internet Security Alliance. And who do they represent? No major software or hardware companies are listed. (Symantec doesn't count) Funny enough, I see companies like Raytheon, Boeing, and Lockheed Martin. I'm just speculating (you know, this being /. and all), but something tells me the good ol' boys of the defense industry are trying to get another gravy train started up here.

    --
    E pluribus unum
  5. Simpler Fix by copponex · · Score: 3, Insightful

    Require banks to pay for every single breach that is their fault. Right now, it's the merchants who get screwed. If someone walks into one of the retail outlets I consult for with a fake ID, matching fake credit card, and walks out with the merchandise, 9 times out of 10 there is some obscure rule that wasn't followed that will allow the cardholder to get their money back, and the bank to get their money back, leaving the merchant with the option to take cash only or take the hit and continue doing business. "Cybercrime" -- or as I like to call it, 21st Century Crime -- only gets worse from here.

    This is free market capitalism at it's finest, where the costs always find their way to the entity with enough money to pay the bill, but not enough to fight the system that forces them to pay. Unfortunately, the government not giving two shits about small businesses has been old news for some time. Hopefully people are going to wise up and realize that you don't do away with the government, just the lobbyists and corporate revolving door that is currently ruining it.

  6. Re:Incentivizing Good Behavior by Doc+Hopper · · Score: 2, Insightful

    Sure, on the side of the people doing the security stuff. But audits for compliance with regulations is really the minimal standard applied at my work -- a VERY large software company -- and little else. If there's no financial repercussion for lack of a security implementation, that thing is never, ever put in. Not even if it's "best practice". If we have to have it, good, put it in, but if we don't absolutely have to, the security request rots forever in the hell of a planned upgrade some day.

    We recently had a project that was like that. Five planned phases. Phases three and four had a major focus on security implementations. Well, they did Phase 1, the rollout, and Phase 2, the integration with other apps, then the next thing everybody heard we were at Phase 5, showing this off as a showpiece of integration. When I called the vice-president to complain about this, his response was basically "we'll get around to it, it's not a problem."

    Welcome to modern large-scale software design. If you aren't legally required to have some certain bit of security in place, with financial repercussions for violation, it isn't happening. And it's not the software company that suffers in the case of a breach; it's the privacy and security of the innocent people USING that service.

    --

    Matthew P. Barnson
    I learn what I think when I read what I write