Slashdot Mirror

← Back to Stories (view on slashdot.org)

Ed Felten: California Must Lead On Cybersecurity

Posted by timothy on from the so-goes-the-nation dept.

An anonymous reader writes In a Sacramento Bee op-ed, (in)famous computer security researcher Ed Felten responds to the State of the Union cybersecurity proposal. He doesn't mince words: "The odds of clearing Congress: low. The odds of materially improving security: even lower. "What he suggests as an alternative, though, is a surprise. "California," he writes, "could blaze a trail for effective cybersecurity policy." He calls for the state government to protect critical infrastructure and sensitive data, relying on outside auditors and experts. It's an interesting idea. Even if it doesn't go anywhere, at least it's some fresh thinking in this area of backward policy. From Felten's essay: Critical infrastructure increasingly relies on industrial automation systems. And those systems are often vulnerable – they keep a default password, for instance, or are accessible from the public Internet. These are not subtle or sophisticated errors. Fixing them requires basic due diligence, not rocket science. Requiring the state’s critical infrastructure providers to undergo regular security audits would be straightforward and inexpensive – especially relative to the enormous risks. Areas of sensitive data are also low-hanging cyber fruit. In health care, education and finance, California already imposes security and privacy requirements that go beyond federal law. Those legal mandates, though, are mostly enforced through after-the-fact penalties. Much like critical infrastructure, sectors that rely upon sensitive data would benefit from periodic outside auditing. Of any state government's, California's policies also have the chance to help (or harm) the most people: nearly 39 million people, according to a 2014 U.S. Census estimate.

5 of 80 comments (clear)

  1. Re:facepalm by fred911 · · Score: 4, Informative

    Why would you say something like that? Whereas, I don't have high confidence in any governmental organization to ratify legislation that works well with tech matters, California has lead the way for many in the past that are now national standards.

      Off the top of my head, there was a time where you could buy a new car without a catalytic converter, and without any emission standard requirements in every state besides California. Same thing can be said about safety equipment or specification (bumper heights, crash standards). Currently, all the requirements that had to be met for California are nationally required.

      I expect we will see the same adoption nationally for small motorized and two-stroke motors in the future. Also, the Junior College system that CA has had since (at least) 1978 (sans tuition for residents) recently had national mention.

      All in all, although many protest and resist change, it seems that California legislators are more intuitive than most and they seem to have lead the nation on many other models aside from the aforementioned.

             

    --
    09 F9 11 02 9D 74 E3 5B - D8 41 56 C5 63 56 88 C0 45 5F E1 04 22 CA 29 C4 93 3F 95 05 2B 79 2A B2
  2. california is a joke by slashmydots · · Score: 3, Insightful

    NOTHING is going to happen in California. Their budget is a joke. They have a double digit sales tax rate and the biggest deficit out of every state. They have the stupidest, most intrusive laws that negatively impact every other state. Their politics are almost as corrupt as Illinois. They don't do a thing about illegal immigrants and they're tipping the economy over and causing a massive crime problems. They also have a drug problem. California is the model of how you don't run a state.

    And they're supposed to get tough on cyber security?

  3. Outside auditors for CA government? Ha! by SuperKendall · · Score: 2

    What they propose is not going to happen simply because of this:

    He calls for the state government to protect critical infrastructure and sensitive data, relying on outside auditors and experts.

    Outside auditors doing anything in CA government? We'll see that only when all else is lost, and people are starting to go to prison.

    --
    "There is more worth loving than we have strength to love." - Brian Jay Stanley
  4. what could possibly go wrong? by silfen · · Score: 2

    A state run by a single party beholden to corporate interests and lobbyists and massively dependent on the tech industry. A state that is so incompetently run that it is teetering on the verge of bankruptcy, that its schools have dropped to the bottom, and that can't even solve its traffic gridlock. Cybersecurity legislation in California will do little more than exempt tech companies from any sort of liability and pour out massive amounts in government subsidies to big corporations for cybersecurity initiatives.

    Real cybersecurity would require massively increasing the financial liability of corporations for any breach in security that causes their customers to lose money or waste time. For example, when a data breach at Home Depot causes banks to have to reissue credit cards, banks should be financially responsible to their customers for the many hours they have to waste on dealing with new credit card numbers, and Home Depot should be financially responsible to banks for all their resulting costs. If each of these data breaches cost corporations a few billion dollars, you'd be surprised how quickly security shapes up.

  5. Re:Companies need to stand up by silfen · · Score: 2

    Companies need to start putting their money where their mouth is and make changes.

    Companies are profit maximizers. They aren't making changes because the current system doesn't cost them anything. They are never going to "put their money where their mouth is", and it is stupid to expect them to or even want them to.

    The reason it doesn't cost them anything is because they are effectively immune from many forms of lawsuits, thanks to "the government".