Cybersecurity and the Internet Economy

← Back to Stories (view on slashdot.org)

Cybersecurity and the Internet Economy

Posted by samzenpus on Wednesday June 8, 2011 @08:10AM from the please-change-your-password dept.

Orome1 writes "Global online transactions are currently estimated by industry analysts at $10 trillion annually. As Internet business grows, so has the threat of cybersecurity attacks. The U.S. Department of Commerce today released a report that proposes voluntary codes of conduct to strengthen the cybersecurity of companies that increasingly rely on the Internet to do business, but are not part of the critical infrastructure sector. Commerce Secretary Gary Locke said: 'By increasing the adoption of standards and best practices, we are working with the private sector to promote innovation and business growth, while at the same time better protecting companies and consumers from hackers and cyber theft.'"

32 comments

Min score:

Reason:

Sort:

Good 4 consumers, AND business! by Anonymous Coward · 2011-06-08 08:17 · Score: 2, Interesting

And, about time! I can see this working out for businesses that comply, because it's a note of confidence to those that do business w/ said business, and good "P.R. image" too! Sort of like Sarbannes Oxley, &/or ISO standards, but imo, this is more effective (especially for online commerce).
Thoughts?
APK
P.S.=> This could also work out for more IT related employment, for us "geeks/nerds" out there as well... bonus!
... apk
1. Re:Good 4 consumers, AND business! by mlts · 2011-06-08 08:34 · Score: 1
  
  Sarbanes Oxley compliance != security.
  SOX has made SAN makers rich due to having to store E-mail for a long amount of time (50 years if you have anything to do with aerospace).
  It also has pushed out F/OSS solutions because without "due diligence" (which means products need FIPS certifications, Common Criteria, yadda, yadda, pretty tags that require a lot of money to pay an independent testing lab to get approved), people might see prison time.
  That is if the law is enforced... AFAIK, HIPAA was enforced once.
  Voluntary codes won't work. It is actual laws that will make businesses hurt where it counts that will be the only impetus that will make a lot of businesses [1] lock their barn doors.
  [1]: Some companies actually do have good security. However, a lot view security as a cost center so don't really bother, other than maybe spitting out a few buzzwords like loose flatulence after a Pancho's dinner.
2. Re:Good 4 consumers, AND business! by betterunixthanunix · 2011-06-08 08:48 · Score: 1
  
  It also has pushed out F/OSS solutions because without "due diligence" (which means products need FIPS certifications, Common Criteria, yadda, yadda, pretty tags that require a lot of money to pay an independent testing lab to get approved), people might see prison time.
  Except that there are free software systems that have FIPS and CC certifications -- RHEL certainly comes to mind (no surprises there, considering who their customers are).
  
  --
  Palm trees and 8
3. Re:Good 4 consumers, AND business! by Jeremiah+Cornelius · 2011-06-08 11:30 · Score: 1
  
  PCI-DSS.
  It already renders this action late and irrelevant.
  And the compliance it mandates is - for the better part - excellent, prescriptive security configuration advice.
  
  --
  "Flyin' in just a sweet place,
  Never been known to fail..."
please, people by Anonymous Coward · 2011-06-08 08:17 · Score: 0

stop saying "cyber"!
1. Re:please, people by chemicaldave · 2011-06-08 08:53 · Score: 1
  
  Just why exactly? I haven't heard an argument against using the term "cyber" other than "I don't like it." The word is being used the way it is. Get used to it.
2. Re:please, people by Anonymous Coward · 2011-06-08 10:42 · Score: 0
  
  Dear troll, ... Because it means sex and everyone knows it - and not just sex, but hilarious, frustrated, sticky-keyboard, alone-in-a-dark-room-squinting-at-a-blinking-cursor "sex" where it looks/"reads" like two hot chicks but is really two big fat hairy guys pretending to be two hot chicks. It's not a good idea to use something with such an a well-known double-meaning for print material when trying to present a serious idea. Of course the issue being discussed here is also more than a little comical... Anyways, get used to it too. Kid. :)
  All the best,
  A.P.K.
3. Re:please, people by Anonymous Coward · 2011-06-09 03:46 · Score: 0
  
  Cyber means controlling something from afar, for example surgeries using machinery where the surgeon is in a different country to the patient.
  It comes from the greek word for steersman: someone who steers an animal from afar.
  So in this case, Cybersecurity means security being controlled from somewhere else: perhaps a droid security guard piloted by someone in a safe location.
Pee Dee Eff Source Report. by xMrFishx · 2011-06-08 08:19 · Score: 2

Report PDF here.
1. Re:Pee Dee Eff Source Report. by xMrFishx · 2011-06-08 08:24 · Score: 2
  
  It also only contains the word "cyber" 351 times in a 67 page report. That's still 350 occurrences too many, though I feel.
2. Re:Pee Dee Eff Source Report. by synapse7 · 2011-06-08 08:26 · Score: 1
  
  cyber Cyber CYBER!!
3. Re:Pee Dee Eff Source Report. by Anonymous Coward · 2011-06-08 09:31 · Score: 0
  
  I swear, some old fart picked up on the "cyber" thing in the late 90's, and everyone since has just been using as a blanket prefix for anything internet related. They don't realize how dumb they sound.
4. Re:Pee Dee Eff Source Report. by Anonymous Coward · 2011-06-08 09:46 · Score: 1
  
  Try copypasting the PDF to cybercybercyber.txt, and then running:
  cat cybercybercyber.txt | tr 'A-Z' 'a-z' | tr '\n\r' ' ' | grep -o 'cyber...[^ ]*[a-z]' | sort | uniq -c | sort --reverse
  The top cyberbuzzwords are:
  227 cybersecurity
  15 cyberinsurance
  14 cyberspace
  10 cyber attacks
  The article uses the following very annoying, and rather stupid phrases/words:
  cyber attack,
  cyber breach
  cyber crime,
  cyber defense,
  cyber economics,
  cyber ecosystem,
  cyber hygiene
  cyber incidents,
  cyber insurance,
  cyber insurers
  cyber intrusions,
  cyber issues,
  cyber knowledge,
  cyber leap,
  cyber management,
  cyber patriot
  cyber professionals
  cyber risk
  cyber security
  cyber service
  cyber threat,
  cyber-attack
  cyber-breach,
  cyber-incidents,
  cyber-insurance
  cyber-protection
  cyber-risk
  cyber-security
  cyberattacks,
  cybercrime,
  cyberinsurance,
  cyberinsurers
  cyberrisk
  cybersecurity
  cyberspace,
  (random comments inserted by me, not necessarily in original text. I needed to circumvent slashdot's "lameness filter".)
5. Re:Pee Dee Eff Source Report. by Anonymous Coward · 2011-06-09 04:10 · Score: 0
  
  Ugh, "cyber patriot"? It hurts.
Crack some heads. by Anonymous Coward · 2011-06-08 08:21 · Score: 0

The FBI also need to beef up their law enforcement efforts, arrest some of these shithead as a "show of force", to act as a deterrence.
Right now there is the impression you can hack whoever the fuck you want with no consequences.
I getting quite sick of all this hacking crap.
1. Re:Crack some heads. by mlts · 2011-06-08 08:40 · Score: 4, Insightful
  
  We already had that. Operation Sun Devil.
  Result: The US is very hard pressed to find any true blackhats to work for them, while China considers them the same as front line infantry or artillery troops, and pays them very well. Russia, same.
  If we had another hacker pogrom, the people that would get scooped up wouldn't be the true people causing the breaches at SCEA, SOE, or other places. Those guys are clued enough to use compromised machines on Joe Sixpack's coffee table, or offshore sites.
  The people picked up would be people in the iPhone Dev Team, the ROM modders at XDA Developers, and others like that... low hanging fruit that are not doing anything against the law, but are interfering with profits or the will of a CEO somewhere.
2. Re:Crack some heads. by Anonymous Coward · 2011-06-08 11:26 · Score: 0
  
  The FBI needs ..., not need.
  I know it's annoying to Americans to hear Europeans refer to companies in the plural -- Apple are, Google were -- but this is different. This is wrong.
  You wrote: "The Federal Bureau of Investication also need to ...".
  The Bureau need to...
  Learn to engrish!
PCI-DSS by Anonymous Coward · 2011-06-08 08:32 · Score: 0

So do these industry enacted data security standards actually work? I'm just wondering cause it seems they're enacted as a way to charge customers another useless fee!
what a generic comment by Trepidity · 2011-06-08 08:43 · Score: 1

Commerce Secretary Gary Locke said: 'By increasing the adoption of standards and best practices, we are working with the private sector to promote innovation and business growth, while at the same time better protecting companies and consumers from [INSERT SUBJECT HERE]'."

--
10 PRINT CHR$(205.5+RND(1)); : GOTO 10
1. Re:what a generic comment by Anonymous Coward · 2011-06-08 08:56 · Score: 0
  
  This could be a fun game:
  
  [INSERT SUBJECT HERE] = "security auditors."
  [INSERT SUBJECT HERE] = "unscrupulous security vendors."
  [INSERT SUBJECT HERE] = "accounting auditors who have no business auditing IT operations."
  [INSERT SUBJECT HERE] = "bogus threats."
  [INSERT SUBJECT HERE] = "those damned meddling kids!"
Is there a short-term profit in it? by Anonymous Coward · 2011-06-08 08:46 · Score: 0

:sound of PDF viewer window closing:
Simple rules can't cope with a complex world by Anonymous Coward · 2011-06-08 09:12 · Score: 0

You system engineers would never allow such simplistic thinking when dealing with the relatively-simple systems you design and build.
In comparison, the complexity of the systems we live within and deal with is enormous. "Best practices" is an ongoing battle, at best. Even simple rules like 'apply the latest security patches' have exceptions, e.g. you probably should apply any patch for a site that uses RSA's authentication until that problem is straightened out.
You can't write a handbook for life, and you can't write meaningful (detailed enough to matter) laws, rules, regulations for dealing with any significant part of life.
This is, at root, a lot of what is wrong with our society these days : we all are forced to lie in order to get anything done, and too many people get in the habit of doing so without much necessity. Trust dies, the cost of everything increases to compensate.
Nobody has proven to me that any gov action does net good, beyond the minimum necessary for civilization. Even that is routinely accomplished by Councils of Elders in Afghanistan.
1. Re:Simple rules can't cope with a complex world by Rob+Riggs · 2011-06-08 09:38 · Score: 2
  
  There is a simple answer to all of this. Hold legal entities financially liable for security breaches. Companies will need to buy insurance to cover this liability. Insurance companies will set rates based on practices that actually, verifiably work to reduce security breaches. Companies will have a financial incentive to implement those practices.
  
  Problem solved.
  
  Until there is a strong financial incentive to implement practices that work to reduce security breaches, this will not ever be fixed.
  
  --
  the growth in cynicism and rebellion has not been without cause
2. Re:Simple rules can't cope with a complex world by AmiMoJo · 2011-06-08 22:51 · Score: 1
  
  You hit the nail on the head. Companies look at security and see that it costs money with no benefit other than preventing something that might happen. Even when that thing does happen they will just say they are a victim of crime and don't we already pay the police/FBI via taxes so why would we need insurance?
  I agree that financial penalties mandated by law are the way to get security taken seriously, but it would be nice if consumers started to react too. How many people decided to delete their PSN accounts and return their PS3 over Sony's data losses?
  
  --
  const int one = 65536; (Silvermoon, Texture.cs)
  SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
Uhm, I never said SOX was about security, and... by Anonymous Coward · 2011-06-08 09:13 · Score: 0

See subject-line, you assume too much man:

"Sarbanes Oxley compliance != security." - by mlts (1038732) * on Wednesday June 08, @04:34PM (#36379922)
Ahem: I never said SOX was security oriented though... can you show me where I did? I didn't even INFER or IMPLY IT!
(As it's only another form of compliance that SHOULD help things, & I used it as an analogous comparison (not the 'greatest' one, but, there you are))...
ISO was another I utilized, to help "make a point"... that's all!
---

"That is if the law is enforced... AFAIK, HIPAA was enforced once." - by mlts (1038732) * on Wednesday June 08, @04:34PM (#36379922)
It was when I worked for a fairly large insurer (clients are WWF etc.), & I had to do all kinds of security-oriented coding (e.g.-> Secure FTP & more for data transfers).
That was back 2005-2007... are you telling me it's being "blown off" nowadays? That's news to me, but I haven't talked to any of my former co-workers there since 2008 or so...
(It was a "bonus point" for that company getting clients in fact by them following HIPAA std.'s (which is "the why" of WHY I noted this can be a good "P.R." thing for businesses to attract clients with!))
---

"Voluntary codes won't work. It is actual laws that will make businesses hurt where it counts that will be the only impetus that will make a lot of businesses [1] lock their barn doors." - by mlts (1038732) * on Wednesday June 08, @04:34PM (#36379922)
THAT? That I can agree with... however/again: It's a "plus point" if say, a company can say they are ISO certified, HIPAA compliant, etc./et al!
(Which is the 'why' again, of WHY I stated it as I did!)
APK
P.S.=> I think we're working on the same "wavelength" here though, just some 'crossed-wires' & you assumed I was talking security on SOX, & I wasn't... I just hope this ends up getting more tech people jobs mostly, is all, AND, that it does aid in securing things online etc. too! apk
Only voluntary for a few days .. by dweller_below · 2011-06-08 11:16 · Score: 1

Interesting definition of voluntary. Once you wade through 22 pages or fluff, you find (in the middle of the page numbered 12):
"These voluntary codes of conduct, developed through multi-stakeholder processes.. Once these codes have been developed to and companies have committed to follow them, relevant law enforcement agencies, such as Federal Trade Commission (FTC) and State Attorneys General, could enforce them, .."
[Next page]
"The FTC's role in challenging both deceptive and unfair acts or practices in the data security area is vital so that companies' voluntary efforts to implement specific cybersecurity best practices are backed by a legal obligation to implement reasonable and appropriate security."
So, you volunteer to obey whatever laws are implemented. Hmm. That sounds like my dad's description of life in the military.
I think the Commerce department wants more laws regulating the internet. But, they want the appearance of accepting input.
Miles
1. Re:Only voluntary for a few days .. by David+W.+White · 2011-06-08 14:11 · Score: 1
  
  Dweller: I've done a lot of research in this area. Some time ago I was exploring the idea of using laws and financial incentives to coerce or "force" developers/companies to implement best practices and canvassed a few hundred firms to get their take. The overwhelming response was that they didn't think it was a good idea, some thought it would drive them out of business, stifle competition, etc. Then I came across the full green paper from Dept of Comm. before reading this on /. In light of what happened to Sony etc, I wonder what would be the response now, if I asked the same questions again?
2. Re:Only voluntary for a few days .. by dweller_below · 2011-06-08 15:40 · Score: 2
  
  I just find it a bit hypocritical to say voluntary when they intend to use force.
  We have a mess. The right laws may help, but, the wrong ones will make it a lot worse.
  Personally, I think the government's best contribution would be to provide central coordination. Here's two examples:
  1) They could provide a central clearinghouse for attack information. My institution is attacked hundreds of times a day. Thousands if you count the Confickers. Every day we collect lists of attacking computers. Just by ourselves, we could eliminate much of the internet's attacking bots, if we could get anybody to listen to us. The government could help in several ways. Once we proved ourselves, they could vouch for us. They could provide a central repository for this info so anybody could check to see if they are a bot. They could pass credible info back to the owners.
  2) Security NEEDS Metrics: https://it.wiki.usu.edu/SecurityPerformanceMetric Bot Epidemiology can provide us with useful measurements that demonstrate the actual effectiveness of a security regime. But nobody is publishing the info. And, everybody who is currently measuring seems to have their own agendas. We need an cybersecurity CDC. Maybe a CSCBC. A central, accurate source of historical infection rates. Searchable by CIDR.
  Miles
The problem is government by Anonymous Coward · 2011-06-08 11:47 · Score: 0

If we didn't have laws punishing hackers, several corporations would have already have gone under and the rest would have adapted to the environment with better protections. Government has made us complacent by suggesting that a legal defense can be along side a physical/practical/technological defense. Most companies still physically secure their accounting database backups in vaults and such but completely miss the point that the servers themselves need to have that kind of security.
oooh look! by Anonymous Coward · 2011-06-08 12:21 · Score: 0

"adoption of standards and best practices" or:
let's write better code, put profit on the backburner and stop rushing code out the door. : P
Riiiight by Anonymous Coward · 2011-06-08 14:01 · Score: 0

lol voluntary. Yea, that'll work.