Legislation to Mandate Security Standards

[CXGJarrod]

Just to play the devils advocate: This could be something like how we have fire inspectors to come around to your building to make sure you are not doing anything unsafe. They are not doing it to invade your privacy or anything, but they are worried about certain things in your business that start fires or prevent them. They are doing it for the communal good.

[catch]

RoadClosed, this is kinda sorta true... however your example is too simple to be valid.

In real life when a company is compromised and loss occurs, depending on the loss... several things may happen. It may go to insurance, FDIC or whatever... in this case it is important that the insured can prove that it was meeting the due care as stipulated by the insurance policy as a policy lacking this stipulation would be too expensive to exist. In this first situation, your arguments are exactly right... the company follows a standardized security policy as agreed by the insurance company and this compromise has no real social impact.

Situation #2: Another large company, maybe or maybe not insured gets compromised. This company is a multi-billion dollar organization... say an R&D company. They are compromised and forwhatever reason either lacked insurances or failed to follow the due care defined in their policies and a project worth billions is stolen and released first by a competing company. If they had no way to recover this loss, you can bet they'd keep it private. Now this company loses billions upon billions of dollars, is forced to go into recovery mode, and suddenly stops paying it's bills on time as companies like to do... word gets out, panic hits the market and stock prices plummet. Their small vendors that relied on this company for their biggest contracts start going under as they can no longer float the debt owed to them. Larger companies that also relied on these niche vendors start getting delayed in their projects as they scramble to fill the gaps. Then the lawsuits start... scummy lawyers sue the large company for the stock price drop, the small companies put the large company into third party collections... banks freeze new loans, the bond holders sue the stock holders for ownership of the company. The executives knew about this beforehand so needless to say they have all sold their stock and moved to south america.

Now the stock market has taken a large hit as stock holders all over are feeling unsure about tech, even from established companies. Thousands of people have been laid off or had their companies go under... the list goes on...

The point is, it's not ok for this kinda thing to happen just because some manager somewhere wanted to cut his budget earning himself a raise. Enforecement on the otherhand... this is why I like my tax idea, allow the companies to pay the cost for this, because the cost goes way beyond themselves. (We're not even talking about malicious efforts like enron, such taxing and auditing would have kept them in line as well.)

catch

[RoadClosed]

Yes I agree with you CXGJarrod there are places that need regulation. I have to get my Elevator inspected and tested as well. I wouldn't want the elevator car falling from the 110th floor!

But I don't see the necessity of a government agency regulating and "securing" electronic communications conduits. Currently (to some degree) they cannot tap my phone or look in a filing cabinet without due process of law and proving to a judge or court that I might be up to something not in alignment to the communal good (in standards of ethics and morals of that community). We all agree that is a good thing, so why would it be in the best interest of everyone to say, "ok it's better if you just put these black boxes at every business in the USA and control the security from now on"

We have regulations in place to make sure Amtrak doesn't smash a Greyhound at a rail road crossing and kill 300 people. We also have regulations in place to make sure your plane makes it to O'Hare at 9pm sharp and not explode or be shot down. What we do not need is a regulation where by the Sys. Admin from Michigan goes to jail because Susy Q. got a harassing email from her Cube Dawg.

Simple statement I know but I am trying to get my point across

Catch, you prove my point exaclty. I was trying to enforce the fact the companies realize they are liable and they aren't going to leave their doors unlocked. The stock market industry is regulated very precisly already. There IS an impact on the economy when a major firm is hit. In fact my interface into New York is more secure than anything I have ever encountered while working with the government.

[CXGJarrod]

Originally posted here by RoadClosed
Yes I agree with you CXGJarrod there are places that need regulation. I have to get my Elevator inspected and tested as well. I wouldn't want the elevator car falling from the 110th floor!

But I don't see the necessity of a government agency regulating and "securing" electronic communications conduits. Currently (to some degree) they cannot tap my phone or look in a filing cabinet without due process of law and proving to a judge or court that I might be up to something not in alignment to the communal good (in standards of ethics and morals of that community). We all agree that is a good thing, so why would it be in the best interest of everyone to say, "ok it's better if you just put these black boxes at every business in the USA and control the security from now on"

We have regulations in place to make sure Amtrak doesn't smash a Greyhound at a rail road crossing and kill 300 people. We also have regulations in place to make sure your plane makes it to O'Hare at 9pm sharp and not explode or be shot down. What we do not need is a regulation where by the Sys. Admin from Michigan goes to jail because Susy Q. got a harassing email from her Cube Dawg.

Simple statement I know but I am trying to get my point across

I agree with you. Creating another government agency to police and monitor people is not a good solution. Plus, you would have to get a lot of smart IT people to police everything. I also do not think that one solution will fit all. Some people feel fine having a Linux box as their router to the net while others need the latest from Cisco. How do you define or set a standard that people have to follow?

[Replicant]

There is another point that I have not read anyone else address, that is the fact that the intruders this rudimentary stantard is trying to protect against do not follow the governmental laws now, why would this change anything? This might present more of a challenge to those who would do harm and therefore spark more interest.

I would like to know more about the sponser and author of this bill in order to determine where the motivations truely lie, this might shed more light on the subject.

Why can we not police ourselves in such matters? Why must the government always get involved?




Replicant
"In an hour of Darkness a blind man is the best guide, in an age of insanity, look to the madman to show the way"

[CXGJarrod]

And to further what Replicant said: if there is some sort of standard to secure networks and someone finds an exploit, then it will make it that much easier for someone to get into other networks that follow these guidelines.

[SoggyBottom]

If there is a standard developed, I bet my bottom dollar that it will be non-specific and ambiguous. Much like the privacy law currently in Australia. I think that law states something like "All data deemed sensitive much by adequately encrypted". Gee, thanks, very helpful.

I think that this particular law has been brought up not to benefit the companies in question, but to protect the data that they store that does not belong to them.

For example, how many companies out in the wild, wild west do you think store details about yourself? Name, Address, License Number, Credit Card Number, Bank Details etc... I think that this is what they are attempting businesses to secure, as they may physically possess that data, but I would not classify them as the data owners.

When I drive someones elses car, I am a hell of a lot more careful than when I drive my own. I think that businesses should be the same.

[tonybradley]

And to further what Replicant said: if there is some sort of standard to secure networks and someone finds an exploit, then it will make it that much easier for someone to get into other networks that follow these guidelines.

That is why I said at the outset that any such mandatory security guidelines would have to be broad and vague.

If they were to dictate to the level of specific operating systems, or specific devices and configurations- then one flaw in any of those configurations would automatically expose the whole infrastructure.

Like SoggyBottom said- it would have to be vague, sweeping statements like "a corporation must protect all transmission of sensitive data from unauthorized access or viewing" while leaving the methods and technology used to accomplish the goal up to the individual companies.

There are standards out there now for some industries- the HIPAA, the Gramm-Leach-Bliley Act. If you want an idea of what the proposed legislation will eventually look like you shoud probably refer to those bills. Essentially, I believe Mr. Putnam is suggesting broadening the scope of such acts to cover not only health care or financial institutions- but every corporation.

I am trying to contact Mr. Putnam directly for an interview- no response from his office yet.

[Replicant]

I understand that the guidelines would have to be so vague that once compromised they would not allow all "trusted" systems to be subject to instrustion and exploitation. But why should the government be the driving force behind this effort?

If left to their own devices, private industry will set the standards, an example is the trusted computing platform alliance, an effort to encourage the use of specific types of systems and protocols to provide an industry wide level of security. The market will set the tone, once word gets out that data is compromised at company X, then consumers will no longer conduct business with company X, they will engage in commerce with company Y whose data is more reasonably secure.


Why create another tax, another bureaucracy, and more laws that cannot and will not be enforced. Who would be the enforcement body of these new regulations? An already over extended FBI? Why punish business by making it more expensive than it already is?



Replicant
"The rewards of tolerance are treachery and betrayal"

[RoadClosed]

There are standards out there now for some industries- the HIPAA, the Gramm-Leach-Bliley Act

Yes that is absolutely correct. There is legislation within the government already that is somewhat specific in stating some of the concerns that have been posted here. Gramm-Leach-Bliley Act is already significant because corporations are taking it very seriously. I too (along with tonybradly) urge anyone involved with protecting customer's data to read those legislative acts.

In addition there is the Privacy Act of 1974. Even that older piece of legislation has been amended to include automated data processing. Do some research before you let some politician scream bloody murder at the local supermarket crying out for laws to protect the "innocent" because I guarantee when you go fill your propane tank up at Tom's local "Propane and Propane Accessory" shop, he's not paying any attention to the Gov. when he puts your credit card number on his Windows 3.11 pc connected to the internet.

This reminds me of the constant pressure to place more restrictive gun laws (another can of worms) on the books in this country, when in fact there are hundreds of laws across the federal government and state legislative branches.

Laws or not, someone is going to forget to patch a server or someone is going to find an exploit. Only now, if laws are passed, the action of not patching becomes a crime . Do you all realize that software makers plan to have exploits in code? There is reasonable risk that out of 20 million lines of code, they ACKNOWLEDGE that there is a percentage risk in releasing that code. It's to be expected, hell there is 20 million lines there! So 5 percent is expected to be a security risk. And it is also expected that if you patch 20 percent of bugs, then you introduce another 1% of possible security exploits.

Those numbers are askew and actually optimistic. I really think government efforts could be better spent by educating the populace on the risks of using a computer. Hell those condom commercials are SCARY! Scare the people into putting condoms (i.e. layers of security) on their PC too.