Slashdot Mirror
Cybersecurity Laws Would Do More Harm Than Good
Trailrunner7 writes with one perspective on the inability of the Congress to pass 'cybersecurity' legislation before recessing. From the article: "They've taken innumerable swings at it, and struck out every time, ... and, for once, we all should be thankful for our lawmakers' inability to act. ... What it's not good at is understanding the Internet or acting swiftly and decisively. The current cybersecurity legislation mess is the perfect combination of those two factors. Corporations and government agencies in the U.S. have been getting their heads handed to them by attackers from around the world for several years now. Long-term, persistent campaigns have been targeting defense contractors, energy and utility companies, manufacturing firms, and government agencies with an alarming rate of success. But Congress, or at least some members of it, don't seem to understand that. Sen. Joseph Lieberman sent a letter Monday to President Obama, comparing the threat to U.S. networks from foreign attackers to the threat from terrorists before 9/11. He then urged the president to use his executive authority to somehow influence the situation. Let's be clear: If the companies that own and operate critical infrastructure — not to mention defense contractors — don't understand the nature of the threat they're facing at this point, no amount of incentives will change that. Neither Congress nor the President can fix this problem with the kinds of solutions they're considering."
Reader CurseYouKhan links to a different perspective: "Chabinsky is the latest of several former Federal security types to issue warnings on the topic. Earlier this year, Shawn Henry, who recently retired as the Bureau’s top cyber-sleuth, also called for a more offense-minded approach. Ex-CIA director Michael Hayden thinks the private sector may not wait for the government to act. He expects to see the emergence of a 'digital Blackwater,' or the emergence of firms that could be hired to go all mercenary on online intruders."
That sounds like a particularly nasty mess right there, as most of the attacks originate from foreign soil.
For large sets, this will be our guide even unto death, for the LORD will work for each type of data it is applied to...
" and, for once, we all should be thankful for our lawmakers' inability to act."
We should almost always be thankful of our lawmakers' inability to act. Consider how many times each day you say to yourself how glad you are that someone else decided something on your behalf.
Uncle Sam already plays a heavy hand by defining standards that apply to software products that are sold to the US government. Ever hear of FIPS 140-2? The document that says exactly which encryption algorithms are allowed and not allowed? Both Microsoft and Linux vendors (RedHat, SuSE) have incorporated FIPS mode in their operating systems. Not surprisingly, these modes are generally turned off...
That sounds like a particularly nasty mess right there, as most of the attacks originate from foreign soil.
It doesn't matter where the attack comes from, if the response is to counter-attack the computer system attacking you digitally.
You can imagine a team expert is taking over control of botnets or discovering control servers and using exploits to disable them.
In the end the owner of a system on a network has the responsibility to keep a system they control from attacking other systems on the network. If they are unable to do so other systems on the network being attacked should have the right of self-defense even if it means the attacking system goes down... if it's under outside control it's essentially already down, or at least very likely to be a source of harm to the owner even if they do not yet know it.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
Yes, we must do SOMETHING! Dunno what, but SOMETHING! And don't anyone think of the children?
Seriously, though. What kind of "action" does the honorable senator expect from Obama? I dunno, it seems Obama isn't just seen as some kind of magic worker by some voters (akin to "we gotta get economy back on track, Obama, go an fix!"), it seems the honorable senator seems to have fallen for the same spell. Great wizard Obama, swing your magic wand and DO SOMETHING!
There is no legal solution for it, though. First of all, you can't just outlaw hacking. That's already the case, you know? What do you want? More severe punishment? Doesn't faze the guy in Iran, China or $whatever-stan who wants to blow up your power plant. The only thing that might accomplish is to quench "hacktivism" akin to Anonymous with the drawback that everyone who actually knows a thing or two about hacking will keep their mouth shut instead of actually informing the relevant authorities.
Require companies to tighten their security? Then we are where we are already: Where security is a topic for risk management, not for IT. How much does it cost to implement security? How much is the fine? How likely is it going to happen? Now you can either lower the fine to a ridiculous amount where no halfway large company takes it serious or jack it up to a level where doing online business becomes Russian roulette for smaller companies.
Because, and here's the actual problem, there is no such thing as perfect security. If everything else fails, your admin might double cross you.
Still, the ONLY place where you can put the lever is the target of attacks, not the source, since the source, as has been stated above, is often outside of your jurisdiction. But is putting the burden on the victim really the way to go? I kinda doubt it.
Bottom line, as long as people and companies have no interest in security, no law you could draft will change their attitude towards it.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
In the 1990s, didn't the same senator demand laws against all crypto, causing PRZ to make PGP in the first place?
Wasn't he also behind the push for the Clipper chip, key escrow, and other GAK (government access to keys) measures?
*sigh* I wish I could vote for a Tim May and Black Unicorn ticket.
If folks actually think government agencies and industry aren't well aware of the criticality of the security threats then they are living in a fantasy world. I can believe congress has that attitude. Those folks are literally 10 years or more behind the curve in IT technology. And this just sounds like another attempt at grabbing more control of the internet by fear mongering.
When these laws are really about information control and licensing, universal taxation, universal copyright enforcement and universal surveillance.
The threat of terrorist attacks before 9/11--I'll interpret that to mean "the impending threat leading up to 9/11"--is nothing. It's akin to the threat of getting hit by a meteor, or lightning. It'll happen -eventually-, for sure; there's always been terrorists, lightning, and meteors. Here's the thing: Terrorists hit shit with the planes because of dumb luck. They've been in and out and tried this stuff for decades, finally got one through, and haven't since. TSA is ineffective as hell, but locked cockpit doors are a step up. Thing is, they're a step up when there's not suddenly The Brown Spy wandering around on every plane trying to get into the cockpit; the whole of Southeast Asia didn't become our enemy overnight, they're not all out to get us, and the people trying are still insane and stupid and relatively sparse (there's hundreds of them? On a planet with 7 billion people? Our country has 300 million people?).
The threat just isn't there. The internet is rough, it'll get rougher, but it's a nasty shitpipe for the bottom dregs of society as-is.
Support my political activism on Patreon.
Is about control, not the remote chance to find something they say that are after. The real enemy, depending from which side you take, is the population or the government, not outsiders.
... for once, we all should be thankful for our lawmakers' inability to act ...
Only once? While gov't does occasionally get things right, getting it wrong is hardly a rare instance.
Think about how often gov't gets it wrong with respect to tech issues. The truth is they get it wrong just as often in other domains as well. We merely don't understand those other domains so we don't see the problems, we read some news article and all we see is legislation with good intentions. I'm sure some non-techie is reading an article about gov't going to increase cybersecurity and is thinking "sounds like a good idea".
IMHO we in the U.S. are judging our politicians too often by their good intentions rather than their actual performance, and politicians have adapted to this environment accordingly. All they really care about is that they hold the "correct" stand on an issue, not actually accomplishing anything. Until we start voting out people because they supported well intended but poorly thought out legislation little will change.
the emergence of a 'digital Blackwater,' or the emergence of firms that could be hired to go all mercenary on online intruders.
I've played that Shadowrun module.
Not surprisingly? Do you have ANY clue on this subject at all?
What is wrong with mandating someone use a validated, tested algorithm and implementation instead of pulling one out of their ass and claiming their "proprietary solution" is superior?
The only thing turning off FIPS 140-2 compliance mode does is allow users to make stupid choices. FIPS mode prohibits that.
What's your issue?
Learning HOW to think is more important than learning WHAT to think.
I am constantly amazed at arguments in favor of whatever government action folks want that base their premise on the trustworthiness of government. Why does anyone think they can trust a government? Now I am certainly not an anarchist, however I take the same view of centralized government that the founders of the US took - powerful central governments will inevitably grow and be corrupted because they are comprised of humans who are imminently corruptible.
It amuses me to see folks distrust a corporation and turn to the government as if the people in a government job are somehow more moral or ethical than those in private sector. They are all made of the same human stuff, all just as corruptible - the only meaningful difference is that the humans in government wield the power of massive force to accomplish their goals.
The government has NO business getting involved with cyber security any more than they do getting involved with how I secure my house or car. The government sucks at doing things efficiently and using best practices - the examples are legion.
People need to take personal responsibility for their systems and decisions.
KK4SFV
Now the scenario on a digital blackwater is not needed due to a lack of laws, rather the problem is that officials will not investigate most cases even when they are in their juristriction and there is a clear trail of evidence. Often somebody can attack you numerous times, and you are on your own. This could be fixed by increasing the workforce.
it is impossible to completely protect against hackers. human beings are really good at adapting, and hackers usually are really good at problem solving. The only thing these laws and shit do is make thing harder for everyone. And the common end consumer pays the price. If they want to combat hackers, why don't they get their act together so that so many people wont be so pisssed off. preventing a problem is the best way to deal with the problem.
"Go all mercenary"
What the hell is that supposed to mean?
All Your Bits Are Belong To U.S.?
seriously, wtf government?
-
Corporations and government agencies in the U.S. have been getting their heads handed to them by attackers from around the world for several years now.
Anyone who honestly believes any sort of law would stop these attackers needs to pull their head out of their ass.
If they can't do anything, they can't do anything to us. Vote a split ticket this November and preserve the balance!
Interestingly, William Gibson had that idea in 1982, or so. Google "Burning Chrome".
Just legislate that every 3 years an industrial site must open itself to a 1 week pown to own event. If anyone can pown the control system they get to own the plant.
Would make for some nice corporate-on-corporate events to gain control. Even enviro-on-corporate.
Yes this is quite silly. But might as well have it happen in the open rather than behind closed doors.
the network being attacked should have the right of self-defense
Be careful what you wish for. You might just get it.
A packet is not a bullet. Don't equate the two metaphorically.
When you start giving people attack authorization in an effort to curb ping floods you are asking for the same
type of unfettered authority that big media used to go after Kim Dotcom. You will rue the day such a
provision became the law of the land.
Sig Battery depleted. Reverting to safe mode.
Having worked with Chabinsky and Henry previously, I'm glad they're not in charge any longer.
Let's not forget there are companies, including the ones being attacked and hacked, that may very well benefit one way or another from the current state of cyber security as well. They have their own agendas to promote that are in the best interest of the company, but not the country or its citizens.
I've always said English was my second language. Had Romeo and Juliet been written in C, I might have understood it.
"People need to take personal responsibility for their systems and decisions." - by one_who_uses_unix (68992) on Wednesday September 26, @12:46PM (#41465519) Homepage
Per my subject-line above: Agreed, & here's the EASIEST WAY for Windows users to do so @ least
(Via CIS Tool -> http://www.computerworld.com/s/article/9018362/CIS_tool_aims_to_help_federal_agencies_check_Windows_security_settings , a MULTI-PLATFORM security test that is FUN to use & do, almost like a performance benchmark, albeit, for system security instead...)
It is also FREE for Windows 2000/XP/Server 2003 users, & timeout version trial is available for Windows 7/Server 2008 users ( The 30-day trial is MORE THAN ADEQUATE to run it, & export the .reg file changes it makes to re-use again).
---
HOW TO SECURE Windows 2000/XP/Server 2003 & even VISTA/Windows7/Server 2008, & make it "fun-to-do":
http://www.google.com/search?hl=en&source=hp&q=%22HOW+TO+SECURE+Windows+2000%2FXP%22&btnG=Google+Search&gbv=1
---
To "immunize" a Windows system, I effectively use the principles in "layered security" possibles!
http://www.bing.com/search?q=%22HOW+TO+SECURE+Windows+2000%2FXP%22&go=&form=QBRE
I.E./E.G.-> I have done so since 1997-1998 with the most viewed, highly rated guide online for Windows security there really is which came from the fact I also created the 1st guide for securing Windows, highly rated @ NEOWIN (as far back as 1998-2001) here:
http://www.neowin.net/news/apk-a-to-z-internet-speedup--security-text
& from as far back as 1997 -> http://web.archive.org/web/20020205091023/www.ntcompatible.com/article1.shtml which Neowin above picked up on & rated very highly.
That has evolved more currently, into the MOST viewed & highly rated one there is for years now since 2008 online in the 1st URL link above...
Which has well over 500,000++ views online (actually MORE, but 1 site with 75,000 views of it went offline/out-of-business) & it's been made either:
---
1.) An Essential Guide
2.) 5-5 star rated
3.) A "sticky-pinned" thread
4.) Most viewed in the category it's in (usually security)
5.) Got me PAID by winning a contest @ PCPitStop (quite unexpectedly - I was only posting it for the good of all, & yes, "the Lord works in mysterious ways", it even got me PAID -> http://techtalk.pcpitstop.com/2007/09/04/pc-pitstop-winners/ (see January 2008))
---
Across 15-20 or so sites I posted it on back in 2008... & here is the IMPORTANT part, in some sample testimonials to the "layered security" methodology efficacy:
---
SOME QUOTED TESTIMONIALS TO THE EFFECTIVENESS OF SAID LAYERED SECURITY GUIDE I AUTHORED:
http://www.xtremepccentral.com/forums/showthread.php?s=672ebdf47af75a0c5b0d9e7278be305f&t=28430&page=2
"I recently, months ago when you finally got this guide done, had authorization to try this on simple work station for kids. My client, who paid me an ungodly amount of money to do this, has been PROBLEM FREE FOR MONTHS! I haven't eve
His/her issue is probably the concept that one government can set a mandate on a piece of software used internationally.
I have a OC192 to the desktop, I want to be your back door man.
A packet is not a bullet. Don't equate the two metaphorically..
Metaphorically speaking, it can be identical. It is not always so, but a system being flooded by a botnet is under attack just as surely as a fortress with a thousand bullets flying at the walls.
When you start giving people attack authorization in an effort to curb ping floods you are asking for the same type of unfettered authority that big media used to go after Kim Dotcom.
We are talking self-defense of a server being attacked over a network.
In no way what happened with Kim Dotcom be the same. The main reason of course is that Kim Dotcom was PHYSICALLY attacked. I am only talking about people attempting to electronically attack servers to the agree they no longer attack - not storming in and taking actual server hardware.
Also Kim Dotcom was never involved in an attack on anyone. He was more like a library than an assault force (to brutally stretch the metaphor).
"There is more worth loving than we have strength to love." - Brian Jay Stanley
Start by picking the OS(Operating System) that is secure. Which OS do you think is secure (A) Windows (B) OS X (C) Linux/Unix. Also, CPU companies like Intel Corp has CPU ID(Identification). Most servers can trigger the OS for the CPU ID which provides a triple witch of informations. The information provides stuff like OS, IP, CPU ID, Region, etc. The most secure CPU might be coming from AMD and ARM. ARM has a patent for HW (Hard Ware) security. The ARM Patent allows a secure handshake. IT MIGHT BE BETTER TO CREATE AN INFRASTRUCTURE FOR LINUX INSTEAD OF CREATING COMMUNISTIC LAWS THAT ATTACK CITIZENS. REMEMBER LIKE COMMUNISTIC CHINA, THAT USA DOESN'T USE WARRANTS ANYMORE.
When I hear the cybersecurity people talking about taking offensive action against intruders, I can't help thinking about Miles, "Brothers in Arms" and the infamous stunner tag sequence.
It doesn't. It mandates the use of FIPS 140-2 validated components when doing business with or for the Federal Gov't.
Most people wouldn't even know if it was turned on. All it really does is set a configuration where when you use crypto all that is available to choose from is 3DES and AES. And for hashes, SHA-1 or SHA-2 suite. You can't use MD5, Blowfish, DES, or some proprietary crap the vendor is trying to pawn off to lock you in.
And it must be a validated implementation. That is, you can't code up your own version of AES in Javascript and use that. Yes, OpenSSL has a validated version and that is the core module used by almost everyone in FOSS land.
I'm having a hard time understanding why, of all the things gov't mandates, picking on THAT one as a bad example.
Learning HOW to think is more important than learning WHAT to think.
I had a chance to see General (Specific) Hayden perform at the Geriatric Thugs & Podium Assassins RapFest. And let me tell you; once he got limbered up with some warm milk and a few raw pork sausages, he really got funky. After the show, he told us 'bout hackin' on his AOL account. Said some bitches wuz 'bout to get bussed up on the tubes, yo. When I asked him if the gubmint knew what I was doing on da web, he said "Don't make me go mercenary an ya ass." an' I knew homey weren't playin no games.
Because on a serious note, these guys are little more than extremely well-funded, cyberphobic, pimpster penta-thugs with diseased imaginations. And a corrective suggestion, if we are to remain up-to-date: It's a "Digital Academi", not Blackwater. Or, we could just be hard, and confine our knowledge in the past while our minds bumble bewildered in the future -- 'cause it's a thug life, it pays well and looks good on the telly.
Forward! -- Emperor Norton, 2012
You do know that the Internet doesn't guarantee the authenticity of source IP addresses, right? Among the dozens of other ways you can be misled about the source of something?
Not too smart to let your adversary control your targeting.
You do know that most "computer systems" are shared hosting, right?
I can't imagine a "team expert" doing very damn much good in most cases, but I can sure imagine a team cowboy doing a whole helluva lot of damage to disposable tentacles, and whole helluva lot of collateral damage along with it. And probably calling it a "success", too. Then they'll automate it and make it even more braindead. And it'll be another cash cow for the security equipment makers, and the software industry as a whole will continue to whine that it can't possibly make, you know, software that works and is at least slightly difficult to disrupt.
No, thanks.
Don't you think cybernetic systems should be secure?
And by the way, so should be cyborgs!
People who live in digital houses shouldn't throw packets...
F'n idiot bureaucrats treating cyber as if it is analogous to the real world.
If you thought DNSSEC was pure awesome tool to amplify your DDOS attacks kids just wait till you get to direct US government resources to attack your targets for you. Won't that be swell?
If you ever tire of getting your "friends" swatted at 3:00 in the morning just for laughs uncle sam has your back.
I have lots of issues with FIPS 140-2. Number one on the list is the fact that the list does more to constrain algorithms than to guarantee a good algorithm will be used. Number two... people are afraid to upgrade to a newer OpenSSL with security patches for fear of loosing their precious $50,000 validation. I also have issues with the self-testing requirements. It's a waste of CPU time. Why make people wait an extra half-second every time they open a program that uses encryption?
Interestingly, I had that idea (offensive cyber security) about 5 years ago, but was told by the TLA...
And William Gibson talked about offensive cyber security quite a few years before that-- he called it Black ICE. (ICE = Intrusion Countermeasure Electronics)
http://www.geoffreylandis.com
The ONLY parts that gave me a "hassle" & the CIS Tool folks agreed & AMENDED per my suggestions?
They were the parts regarding:
---
1.) USB (since everyone NEEDS usb pretty much, but, it does present autorun difficulties - which Linux &/or Windows have been patched for iirc)
2.) Security Dongles
3.) BIO metric based security like fingerprint scanners etc., NOT EVERYONE HAS!)
---
* Which CIS Tool for Windows 7 @ least, have been amended for... there are or were a couple of "false positives" in it that it did not 'pick up on' properly, but other than that?
Plus - The testimonials I included in my 1st post tend to show otherwise, as to "unusable systems", as well as my OWN TESTIMONIAL to that effect, once CIS Tool & the rest of what's in my security guide is applied, that you do NOT have an "unusable system" (far, Far, FAR from it in fact!).
APK
P.S.=>
"The *PROBLEM* is this isn't good enough." - by chill (34294) on Wednesday September 26, @02:53PM (#41467171)
Which is WHY my guide goes way, Way, WAY past what CIS Tool suggests alone...
---
"You CANNOT follow these configs to the letter for strict compliance and have usable systems." - by chill (34294) on Wednesday September 26, @02:53PM (#41467171)
That's not TOTALLY true, but, then again, I didn't get to READ those since PER MY SUBJECT-LINE ABOVE: you supplied NO LINKS to the settings you noted the gov't. uses, for direct study of the points you noted (guessing they're USB &/or BIOMetric stuff I mentioned though).
---
"At some point you have to provide complex services and those can be vulnerable to problems REGARDLESS of how well you secure the OS." - by chill (34294) on Wednesday September 26, @02:53PM (#41467171)
Then, you only SELECTIVELY use said services (whatever those are, beyond USB & BioMetrics I noted above), such as JAVA, JavaScript, ActiveX, Plugins of varying types for webbrowsers, Scripting of ALL FORMS, etc.!
(Which is EASY ENOUGH to do, via Opera's "By Site" preferences, globally setting them ALL INACTIVE first, & making exceptions for sites YOU CHOOSE to run those services on... FireFox has its NoScript which can help too, plus it's OWN "internal blocklists" vs. bad sites (like Opera's URLFILTER.INI)).
---
"Even after that there are major issues with application security that can't be dealt with by configuration security." - by chill (34294) on Wednesday September 26, @02:53PM (#41467171)
Agreed - which is WHY my guide goes far beyond CIS Tool, & provides that which stalls that which YOU speak of here:
End user education (making users aware of who/what/when/where/how/why they get "hit" online)...
... apk
I'm not sure I understand. By constraining algorithm choice to good algorithms it guarantees a good algorithm will be used. Are you saying that the SHA-2 suite and AES are not good algorithms?
The recent validation of OpenSSL FIPS Object Module 2.0 should address fear of patches. If it doesn't, then they are either dicking with the code themselves and are rightfully fearful, or don't understand the process.
As for self-testing requirements, wow. That explains the issue. That mentality right there is why security frequently fails.
Obviously you don't consider the crypto really that important. And that may be rightfully so, depending on the corresponding risk analysis. But we're not talking about your online purchases from Amazon where your liability is limited to $50 in credit card fraud, we're talking about critical infrastructure. In these cases it matters. Getting it wrong can have consequences that could potentially be catastrophic.
In places that crypto is important to get right there is no such thing as "trust me, this is good". NO, YOU ARE NOT TO BE TRUSTED. WE MUST VERIFY. Yes, every time.
Learning HOW to think is more important than learning WHAT to think.
What possible good is re-encrypting the same test data every time you load the library? Either the algorithms are correct, or they're not.
You do know that the Internet doesn't guarantee the authenticity of source IP addresses, right?
Presumably a "digital blackwater" would be able to double check before attacking.
You do know that most "computer systems" are shared hosting, right?
Yes, I also know that the shared hosting can impose processor and memory limits on slices so impact of attacking that share would not affect the other shares (unless you are talking about a reverse denial of service, which I am not).
I am not talking about a nuclear network response that takes out a data center, but hacking the specific system(s) attacking you.
I can sure imagine a team cowboy doing a whole helluva lot of damage to disposable tentacles, and whole helluva lot of collateral damage along with it.
Then the company launching the counter attack would be sued and that would be the end of that, which is why such a team would in fact be careful and now cowboy.
Then they'll automate it and make it even more braindead.
Which they would not do because, again, legal exposure.
it'll be another cash cow for the security equipment makers,
Got bad news for you bro; security equipment makers win either way.
In fact they win bigger in a system where you just let botnets have their way with you and let them carry on.
the software industry as a whole will continue to whine that it can't possibly make, you know, software that works and is at least slightly difficult to disrupt.
There I disagree. I think having infected systems being taken offline along with critical business systems will finally get management to realize there is a real cost to not paying attention to IT's desire to spend money securing systems, and companies as a whole would start to treat system security with the importance it deserves.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
Here is the kind of double checking we got from "analog blackwater". You may have noticed it caused kind of a bit of concern at the time.
Why would one expect "digital blackwater" to be better, exactly? Cowboys are cowboys.
It's not that easy to get into just anything on demand. This team of yours is going to be under pressure to produce results. How long before they decide they have a "critical need" to resort to denial of service? Or before they decide that the best way in is to hack the hosting or virtualization platform itself, get that wrong, and shut down a bunch of innocents?
And shared hosting doesn't totally isolate clients from one another, either. Not even VPSes.
Um, people aren't generally that disciplined. The priorities of the moment take over. Especially because the incentives of the actual humans involved are not the incentives of the corporation. Get the boss off your back...
And what makes you think this mythical tiger team is going to make itself easy to trace and sue, anyway? You want to be stealthy so the "bad guys" don't come back on you. And, hey, you might as well be stealthy so that damaged third parties can't come back on you, either. "After all", these people will reason, "it was just an honest mistake".
So people getting sued would probably be a rarity, and that would lead to a "can't happen to me" attitude.
And once you normalize the behavior, it tends to escalate.
To ensure that the module itself hasn't been tampered with once it has been validated.
Verifying correctness of the algorithms and their implementation was the purpose of the lengthy NIST validation process.
After that, before each use, they're checking to make sure someone hasn't pulled a fast one and modified the code.
Ken Thompson's ACM classic Reflections on Trust back in 1984 really laid this issue to bare. He was discussing compilers, and considering OpenSSL's validation is for source code and you can compile it yourself, it is very pertinent.
Learning HOW to think is more important than learning WHAT to think.
If companies that went about gathering and/or storing sensitive information for others, then screw it up and allow that information into the wrong hands faced real liability for their failures perhaps more companies would do a better job of protecting their information. Or even better, some may opt to not gather/store the data in the first place.
I hope Congress is unable to pass cybersecurity legislation until its members understand the internet. The control systems for dams and power distribution can be disconnected from the internet; yet that's the prime scenario for scare stories about Chinese and Iranian hackers. After sufficient hype and scary publicity, laws are proposed to impose greater penalties on copyright violations and limit P2P file transfers in the name of cybersecurity. This happens OVER and OVER!
What we need is physical retribution against online threats. A nice drone strike would do nicely, since those are perfectly ok to use on anyone anywhere.
1) One of the links in the summary http://blogs.cio.com/security/17430/air-force-chief-ex-fbi-agent-cybersecurity-policy-cant-wait has a quote...
> He thinks companies that find proprietary data on an external server should be
> legally able to take actionâ"to delete or encrypt the data. A company could
> then report the crime to the authorities so the government could search for the hacker.
Remember how a NASA video was mis-identified as property of Scripps Local News http://science.slashdot.org/story/12/08/06/1613211/nasas-own-video-of-curiosity-landing-crashes-into-a-dmca-takedown
Remember how some birds tweeting were mis-identified as "Rumblefish's exclusive intellectual property" http://yro.slashdot.org/story/12/02/26/2141246/youtube-identifies-birdsong-as-copyrighted-music
Now imagine if those same companies were authorized to DDOS your ISP or some other stupid stuff
2) Setting security standards... if a law was passed that only "secure systems" were allowed online, I could see Microsoft using bribes^H^H^H^H^H^H "campaign contributions" to ensure that only the latest patched version of Windows and Windows Office were allowed online.
These are just off the top of my head. I'm sure there's more.
I'm not repeating myself
I'm an X window user; I'm an ex-Windows user
Passing a law does not make anything secure. What makes things secure is spending resources and time towards security. Who should be spending those resources? The companies that are taking security risks and exposing attack areas.
Regarding incentives to do better, corporations already have them, as security attacks are PR nightmares which push consumers to competitors and losing money is bad business.
Congress on the other hand has incentives to over-estimate the risk and over-spend (since it's tax money being spent after all).
And finally, corporations have incentives to support and capture regulation so that they can socialize their costs. Instead of having to pay for some in-house security experts or hiring security services, corporations get taxpayers to pay for an "internet police" of some kind.
Regarding risk evaluation and education, security firms already do that as they try to sell their services. Regarding consumer protection, review magazines, competitive advertisement and reputation already serve that purpose. But as usual Congress wants to think it knows better and is eager to use centralized power and coercion instead persuasion. But such coercion is not the basis for a healthy and peaceful society, and as political power continues to encroach, things will get worst, not better. That will sadly prompt more government intervention, feeding the cycle.
Politicians have been itching to get a power grab on the internet. They are just trying different avenues to see what the public will tolerate. SOPA was too much, try something else. Maybe protection privacy, security or maybe children. The recipe is claiming that voluntary and emerging solutions are insufficient (nevermind trying to prove that assertion) and then getting a foot in the door (regardless of whether it is actually a solution). If it doesn't pass the scrutiny of citizens, then try again.
These comments are mine; I do not speak for my employer.