Cybersecurity and the Internet Economy

Orome1 writes "Global online transactions are currently estimated by industry analysts at $10 trillion annually. As Internet business grows, so has the threat of cybersecurity attacks. The U.S. Department of Commerce today released a report that proposes voluntary codes of conduct to strengthen the cybersecurity of companies that increasingly rely on the Internet to do business, but are not part of the critical infrastructure sector. Commerce Secretary Gary Locke said: 'By increasing the adoption of standards and best practices, we are working with the private sector to promote innovation and business growth, while at the same time better protecting companies and consumers from hackers and cyber theft.'"

Good 4 consumers, AND business!

And, about time! I can see this working out for businesses that comply, because it's a note of confidence to those that do business w/ said business, and good "P.R. image" too! Sort of like Sarbannes Oxley, &/or ISO standards, but imo, this is more effective (especially for online commerce).

Thoughts?

APK

P.S.=> This could also work out for more IT related employment, for us "geeks/nerds" out there as well... bonus!

... apk

Re:Good 4 consumers, AND business!

[mlts]

Sarbanes Oxley compliance != security.

SOX has made SAN makers rich due to having to store E-mail for a long amount of time (50 years if you have anything to do with aerospace).

It also has pushed out F/OSS solutions because without "due diligence" (which means products need FIPS certifications, Common Criteria, yadda, yadda, pretty tags that require a lot of money to pay an independent testing lab to get approved), people might see prison time.

That is if the law is enforced... AFAIK, HIPAA was enforced once.

Voluntary codes won't work. It is actual laws that will make businesses hurt where it counts that will be the only impetus that will make a lot of businesses [1] lock their barn doors.

[1]: Some companies actually do have good security. However, a lot view security as a cost center so don't really bother, other than maybe spitting out a few buzzwords like loose flatulence after a Pancho's dinner.

Re:Good 4 consumers, AND business!

[betterunixthanunix]

It also has pushed out F/OSS solutions because without "due diligence" (which means products need FIPS certifications, Common Criteria, yadda, yadda, pretty tags that require a lot of money to pay an independent testing lab to get approved), people might see prison time.

Except that there are free software systems that have FIPS and CC certifications -- RHEL certainly comes to mind (no surprises there, considering who their customers are).

Re:Good 4 consumers, AND business!

[Jeremiah+Cornelius]

PCI-DSS.

It already renders this action late and irrelevant.

And the compliance it mandates is - for the better part - excellent, prescriptive security configuration advice.

Pee Dee Eff Source Report.

[xMrFishx]

Report PDF here.

Re:Pee Dee Eff Source Report.

[xMrFishx]

It also only contains the word "cyber" 351 times in a 67 page report. That's still 350 occurrences too many, though I feel.

Re:Pee Dee Eff Source Report.

[synapse7]

cyber Cyber CYBER!!

Re:Pee Dee Eff Source Report.

Try copypasting the PDF to cybercybercyber.txt, and then running:
cat cybercybercyber.txt | tr 'A-Z' 'a-z' | tr '\n\r' ' ' | grep -o 'cyber...[^ ]*[a-z]' | sort | uniq -c | sort --reverse

The top cyberbuzzwords are:
227 cybersecurity
15 cyberinsurance
14 cyberspace
10 cyber attacks

The article uses the following very annoying, and rather stupid phrases/words:

cyber attack,
cyber breach
cyber crime,
cyber defense,
cyber economics,
cyber ecosystem,
cyber hygiene
cyber incidents,
cyber insurance,
cyber insurers
cyber intrusions,
cyber issues,
cyber knowledge,
cyber leap,
cyber management,
cyber patriot
cyber professionals
cyber risk
cyber security
cyber service
cyber threat,
cyber-attack
cyber-breach,
cyber-incidents,
cyber-insurance
cyber-protection
cyber-risk
cyber-security
cyberattacks,
cybercrime,
cyberinsurance,
cyberinsurers
cyberrisk
cybersecurity
cyberspace,
(random comments inserted by me, not necessarily in original text. I needed to circumvent slashdot's "lameness filter".)

Re:Crack some heads.

[mlts]

We already had that. Operation Sun Devil.

Result: The US is very hard pressed to find any true blackhats to work for them, while China considers them the same as front line infantry or artillery troops, and pays them very well. Russia, same.

If we had another hacker pogrom, the people that would get scooped up wouldn't be the true people causing the breaches at SCEA, SOE, or other places. Those guys are clued enough to use compromised machines on Joe Sixpack's coffee table, or offshore sites.

The people picked up would be people in the iPhone Dev Team, the ROM modders at XDA Developers, and others like that... low hanging fruit that are not doing anything against the law, but are interfering with profits or the will of a CEO somewhere.

what a generic comment

[Trepidity]

Commerce Secretary Gary Locke said: 'By increasing the adoption of standards and best practices, we are working with the private sector to promote innovation and business growth, while at the same time better protecting companies and consumers from [INSERT SUBJECT HERE]'."

Re:please, people

[chemicaldave]

Just why exactly? I haven't heard an argument against using the term "cyber" other than "I don't like it." The word is being used the way it is. Get used to it.

Re:Simple rules can't cope with a complex world

[Rob+Riggs]

There is a simple answer to all of this. Hold legal entities financially liable for security breaches. Companies will need to buy insurance to cover this liability. Insurance companies will set rates based on practices that actually, verifiably work to reduce security breaches. Companies will have a financial incentive to implement those practices.

Problem solved.

Until there is a strong financial incentive to implement practices that work to reduce security breaches, this will not ever be fixed.

Only voluntary for a few days ..

[dweller_below]

Interesting definition of voluntary. Once you wade through 22 pages or fluff, you find (in the middle of the page numbered 12):

"These voluntary codes of conduct, developed through multi-stakeholder processes.. Once these codes have been developed to and companies have committed to follow them, relevant law enforcement agencies, such as Federal Trade Commission (FTC) and State Attorneys General, could enforce them, .."
[Next page]
"The FTC's role in challenging both deceptive and unfair acts or practices in the data security area is vital so that companies' voluntary efforts to implement specific cybersecurity best practices are backed by a legal obligation to implement reasonable and appropriate security."

So, you volunteer to obey whatever laws are implemented. Hmm. That sounds like my dad's description of life in the military.

I think the Commerce department wants more laws regulating the internet. But, they want the appearance of accepting input.

Miles

Re:Only voluntary for a few days ..

[David+W.+White]

Dweller: I've done a lot of research in this area. Some time ago I was exploring the idea of using laws and financial incentives to coerce or "force" developers/companies to implement best practices and canvassed a few hundred firms to get their take. The overwhelming response was that they didn't think it was a good idea, some thought it would drive them out of business, stifle competition, etc. Then I came across the full green paper from Dept of Comm. before reading this on /. In light of what happened to Sony etc, I wonder what would be the response now, if I asked the same questions again?

Re:Only voluntary for a few days ..

[dweller_below]

I just find it a bit hypocritical to say voluntary when they intend to use force.

We have a mess. The right laws may help, but, the wrong ones will make it a lot worse.

Personally, I think the government's best contribution would be to provide central coordination. Here's two examples:

1) They could provide a central clearinghouse for attack information. My institution is attacked hundreds of times a day. Thousands if you count the Confickers. Every day we collect lists of attacking computers. Just by ourselves, we could eliminate much of the internet's attacking bots, if we could get anybody to listen to us. The government could help in several ways. Once we proved ourselves, they could vouch for us. They could provide a central repository for this info so anybody could check to see if they are a bot. They could pass credible info back to the owners.

2) Security NEEDS Metrics: https://it.wiki.usu.edu/SecurityPerformanceMetric Bot Epidemiology can provide us with useful measurements that demonstrate the actual effectiveness of a security regime. But nobody is publishing the info. And, everybody who is currently measuring seems to have their own agendas. We need an cybersecurity CDC. Maybe a CSCBC. A central, accurate source of historical infection rates. Searchable by CIDR.

Miles

Re:Simple rules can't cope with a complex world

[AmiMoJo]

You hit the nail on the head. Companies look at security and see that it costs money with no benefit other than preventing something that might happen. Even when that thing does happen they will just say they are a victim of crime and don't we already pay the police/FBI via taxes so why would we need insurance?

I agree that financial penalties mandated by law are the way to get security taken seriously, but it would be nice if consumers started to react too. How many people decided to delete their PSN accounts and return their PS3 over Sony's data losses?