Legislation to Mandate Security Standards
Page 1 of 2 12 LastLast
Results 1 to 10 of 20

Thread: Legislation to Mandate Security Standards

  1. #1
    AO Security for Non-Geeks tonybradley's Avatar
    Join Date
    Aug 2002
    Posts
    830

    Legislation to Mandate Security Standards

    Representative Adam Putnam (R-Florida), chairman of the House Government Reform Subcommittee on Technology, plans to introduce legislation to mandate minimum baselines security standards for the private sector.

    The article is short on detail, but essentially he feels that Congress, the Bush Administration, government agencies and private sector corporations are all dropping the ball on securing cyberspace and that its time for someone to step in and dictate some security standards.

    Click here to read the article

    I don't mind them specifying minimum standards as a generality- but they can't specify exact configurations or applications.

    Any thoughts?

  2. #2
    Super Moderator
    Know-it-All Master Beaver

    Join Date
    Jan 2003
    Posts
    3,914
    I can see this for both the good and the bad. As a security oriented person, I think that forcing businesses to meet security guidelines is a good thing. However, as a businessman, I think it violates my rights, and makes me glad to be Canadian once again. There's no law that says I have to lock my doors, so why should there be a law that says I have to lock down my computer. There's both sides of the coin anyways.
    IT Blog: .:Computer Defense:.
    PnCHd (Pronounced Pinched): Acronym - Point 'n Click Hacked. As in: "That website was pinched" or "The skiddie pinched my computer because I forgot to patch".

  3. #3
    Banned
    Join Date
    May 2003
    Posts
    1,004
    HTRegz, if someone breaks into your home, the societal effects are minimal, if someone breaks into a very large company or many very large companies and causes significant damage. The effects on the already weakened US economy could be very bad with wide reaching consequences.

    I think it makes more sense to levy an insecurity tax, where the funds are used to fix such problems if they occur and companies can avoid paying said tax by passing standardized security audits.

    catch

  4. #4
    Super Moderator
    Know-it-All Master Beaver

    Join Date
    Jan 2003
    Posts
    3,914
    I'm not talking about locking the doors of my home catch, I'm talking about the doors to my business. If I walk out of my business and leave the doors unlocked, or if I leave a computer unsecured the results can be the same. It's not a matter of it affecting the economy. It's like Ontario's Drive Clean rating. Your car has to pass an emissions test in order to be liscenced. However this test doesn't apply to government vehicles, transports and other such vehicles. It's a way of getting money from your average Joe Blow... be it a company or an individual. If it was really because they were concerned about the environment then they'd require transports and buses and other such vehicles to pass the tests since one of those vehicles polutes worse than a small town of cars. This is the same thing... you have to meet these standards, if you don't we're going to fine you, or tax you. More money for an already rich government. It's no longer a matter of "by the people for the people" it's "by the government for the government" although the word government could also be replaced by "rich". If a countries economy crumbles because a few computers are compromised, that's a serious issue in itself, maybe you the government should worry about raising their economy before they worry about taxing honest business men even more.
    IT Blog: .:Computer Defense:.
    PnCHd (Pronounced Pinched): Acronym - Point 'n Click Hacked. As in: "That website was pinched" or "The skiddie pinched my computer because I forgot to patch".

  5. #5
    Senior Member RoadClosed's Avatar
    Join Date
    Jun 2003
    Posts
    3,834
    Many idustries are already regulated with "minimum" security requirements. In another thread I posted a link to FDIC.GOV. In order for a bank to have FDIC insurance (who would bank with one that doesn't?) they must meet a minumum requirement for security practices.

    Like all systems of compliance it is very open to interpretation and adjustment. It's not easy to secure an enviroment with countless variables changing on a per hour or even a per minute basis. But generic minimum standards should be ok. Like specifying that a company must employ a firewall device and that latest patches to that firewall must be applied. At the same time can you imagine an organization policing 16 billion connection devices - impossible.

    Now for the flip side. Inovation. With strict guidlines in place that restrict what a business can do with technology. It could take months to approve new devices and software.
    West of House
    You are standing in an open field west of a white house, with a boarded front door.
    There is a small mailbox here.

  6. #6
    Senior Member Maestr0's Avatar
    Join Date
    May 2003
    Posts
    604
    I think people tend to use the analogy of a house and a computer far too much and it is largely inaccurate.I think if your machines are not connected to the internet than you can leave them as insecure as you'd like and if someone gives it to you while your bent over so be it, but in todays cyber world computers are not passive 'houses' just waiting to be rummaged through by some burglar they are actively participating in a medium shared by others around you. I am not free to park my car in the middle of the freeway(I dont think you can in Canada either but I'm not sure ) because other people use it too. I can park my car in my driveway and set it on fire if I want because that will not affect other peoples usage of the highway systems. People have to realize that their systems will interact and effect the systems of others on the internet and some sort of responsibility has to be assigned to those who use this medium. If I drive my car into a storefront, I will be held accountable. If my dog bites someone on my street, I will be held accountable. If I set my computer on the internet with no security and its used to compromise a business and cost them millions of dollars, I just shrug and say "Geez, Microsoft sucks." Granted, I dont think someone should be held criminally liable in this situation but I think they should be held accountable in civil court and should pay the damages if it can not be shown that the owner did not attempt to protect sensitive data, or the usage of his system to access data/systems belonging to his clients or others from misuse and/or neglect. Do like Mr.Redfoot says and "put a leash on that puppy".

    -Maestr0

    EDIT: Cheers Tony for another good find.
    \"If computers are to become smart enough to design their own successors, initiating a process that will lead to God-like omniscience after a number of ever swifter passages from one generation of computers to the next, someone is going to have to write the software that gets the process going, and humans have given absolutely no evidence of being able to write such software.\" -Jaron Lanier

  7. #7
    Macht Nicht Aus moxnix's Avatar
    Join Date
    May 2002
    Location
    Huson Mt.
    Posts
    1,752
    Unfortunately, this will probably go the way the auto industry has gone. Mandated seatbelts,daytime running lights, 5 mph bumbers, and airbags. The costs....passed on to the consumer, whether we want these devices or not.
    In the future,we could see, mandated firewalls (nonadjustable, or configurable by the end user), locked down virus packages (non-configurable), and possibly content filters to keep 44 year old little Harold from viewing any objectionable wepsites.
    Just remember--put your helmet on every time you boot up. It is the law and since Micro$oft is used in most computers, it protects you in case of crashes.
    \"Life should NOT be a journey to the grave with the intention of arriving safely in an attractive and well preserved body, but rather to skid in sideways, Champagne in one hand - strawberries in the other, body thoroughly used up, totally worn out and screaming WOO HOO - What a Ride!\"
    Author Unknown

  8. #8
    0_o Mastermind keezel's Avatar
    Join Date
    Jun 2003
    Location
    Atlanta
    Posts
    1,024
    I say it's about time! Businesses seem to always be complaining about how a hacker got into their system and did (you fill in the blank) but it's really partly their fault for not securing their systems in the first place. Maybe this will cut down on stuff like that, and hopefully we'll hear less about SK's and crackers damaging company info/computers. If it works out like that...then maybe people won't think so badly of hackers. I know, sounds more like wishful thinking, but I still say it's good that there will be some sort of minimum standard set for companies now.

  9. #9
    Junior Member
    Join Date
    Jul 2003
    Posts
    14
    I'm a hacker, and we do need security on the Net. I mean, just look at the Slammer worm. That was programming genuis. It could of, if Akaimai didn't stop it, could of shut down the internet in 15 minutes. That's 4 billion IP addresses. You do the math. It resorted 911 operators to write on paper, basically sending them back to the stone age. All and all, if there's no security on the Net, then where's the fun in exploring it.

    Just my tidbit.
    Loki

  10. #10
    Senior Member RoadClosed's Avatar
    Join Date
    Jun 2003
    Posts
    3,834
    Mandated security devices. The problem with mandating a specific security device is dangerous from a technological point of view. It is quite possible that someone could determine that a fatal flaw exists in the security design that cannot be easily fixed without modification locally. That would be hard to correct if that process (of modifying the setup or code) was illegal.

    Let me skip the house analogy and introduce another one I have been thinking about. Let's say a hacker breaks into a bank's network and steals all the money from Mr. Anderson’s account ($89,000) by exploiting a hole in a Windows server. You can insert Linux server if you like. Let's also assume many safe guards are in place but somehow the hacker manages to bypass all devices and by the time the error is known (a day or even a few hours), the money is already wired to another account and drained. At this point the money is gone and cannot be recovered. By arguments heard on this forum I would come to the conclusion that the bank is NOT liable for the missing 89,000 dollars. That is absolutely not true. There can be only 2 outcomes from this situation. The bank recovers Mr. Anderson's account through emergency funds that cover a loss, or the bank now finds it's assets in bankruptcy court.

    Businesses ARE liable for not securing their assets. Sure you can leave the door unlocked if you want, but you and your business will pay in the end if disaster strikes. There is no insurance for negligence. Having said that: in my opinion the government has no business regulating private industry regarding their electronic security principles. That is a fundamental aspect of our Democratic society and any major shift in that aspect changes our basic society principles. This isn’t about cars or physical objects, this is about our communication and speech. Having one’s home address stolen or credit card stolen is NOT a matter of personal safety in terms of death. Regulations in the auto industry are about saving lives and keeping the money that insurance companies pay out to a minimum. But eventually someone is going to lose enough money on the internet, and some politician is going to fight drastically for some kind of regulatory mechanism. To put it simply: “that would totally suck”

    Disclaimer: Mr. Anderson is an agent in the employ of the Matrix. He is not a real person, only a figment of someone’s construct.
    West of House
    You are standing in an open field west of a white house, with a boarded front door.
    There is a small mailbox here.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •