Slashdot Mirror
Cybersecurity and the Internet Economy
Orome1 writes "Global online transactions are currently estimated by industry analysts at $10 trillion annually. As Internet business grows, so has the threat of cybersecurity attacks. The U.S. Department of Commerce today released a report that proposes voluntary codes of conduct to strengthen the cybersecurity of companies that increasingly rely on the Internet to do business, but are not part of the critical infrastructure sector. Commerce Secretary Gary Locke said: 'By increasing the adoption of standards and best practices, we are working with the private sector to promote innovation and business growth, while at the same time better protecting companies and consumers from hackers and cyber theft.'"
And, about time! I can see this working out for businesses that comply, because it's a note of confidence to those that do business w/ said business, and good "P.R. image" too! Sort of like Sarbannes Oxley, &/or ISO standards, but imo, this is more effective (especially for online commerce).
Thoughts?
APK
P.S.=> This could also work out for more IT related employment, for us "geeks/nerds" out there as well... bonus!
... apk
Report PDF here.
We already had that. Operation Sun Devil.
Result: The US is very hard pressed to find any true blackhats to work for them, while China considers them the same as front line infantry or artillery troops, and pays them very well. Russia, same.
If we had another hacker pogrom, the people that would get scooped up wouldn't be the true people causing the breaches at SCEA, SOE, or other places. Those guys are clued enough to use compromised machines on Joe Sixpack's coffee table, or offshore sites.
The people picked up would be people in the iPhone Dev Team, the ROM modders at XDA Developers, and others like that... low hanging fruit that are not doing anything against the law, but are interfering with profits or the will of a CEO somewhere.
There is a simple answer to all of this. Hold legal entities financially liable for security breaches. Companies will need to buy insurance to cover this liability. Insurance companies will set rates based on practices that actually, verifiably work to reduce security breaches. Companies will have a financial incentive to implement those practices.
Problem solved.
Until there is a strong financial incentive to implement practices that work to reduce security breaches, this will not ever be fixed.
the growth in cynicism and rebellion has not been without cause
I just find it a bit hypocritical to say voluntary when they intend to use force.
We have a mess. The right laws may help, but, the wrong ones will make it a lot worse.
Personally, I think the government's best contribution would be to provide central coordination. Here's two examples:
1) They could provide a central clearinghouse for attack information. My institution is attacked hundreds of times a day. Thousands if you count the Confickers. Every day we collect lists of attacking computers. Just by ourselves, we could eliminate much of the internet's attacking bots, if we could get anybody to listen to us. The government could help in several ways. Once we proved ourselves, they could vouch for us. They could provide a central repository for this info so anybody could check to see if they are a bot. They could pass credible info back to the owners.
2) Security NEEDS Metrics: https://it.wiki.usu.edu/SecurityPerformanceMetric Bot Epidemiology can provide us with useful measurements that demonstrate the actual effectiveness of a security regime. But nobody is publishing the info. And, everybody who is currently measuring seems to have their own agendas. We need an cybersecurity CDC. Maybe a CSCBC. A central, accurate source of historical infection rates. Searchable by CIDR.
Miles