US DOJ Lays Out Cybersecurity Basics Every Company Should Practice 58
coondoggie writes "The mantra is old, grant you, but worth repeating since it's obvious from the amount of cybersecurity breaches that not everyone is listening. Speaking at the Georgetown Cybersecurity Law Institute this week, Deputy Attorney General of the United States James Cole said there are a ton of things companies can do to help government and vice-versa, to combat cyber threats through better prevention, preparedness, and incidence response."
Incentives (Score:5, Insightful)
Making a book of "best practices" is a good first step, but incentives are also needed.
For example, suppose the government set penalties for security breaches which result from not following best practices. The penalties would not trigger until an actual breach, but if one *does* happen then the company is fined for breach of trust.
The fines should be structured to encourage businesses to reduce risk, by artificially creating proportional risk.
If someone steals CC numbers because the company kept them in the clear, and kept them beyond the time necessary to complete a transaction, the company is fined $5 each number. If passwords are not encrypted and salted, $1 for each stolen password. If web form data is not sanitized and customer information is stolen, $3 for each record. If the power station control computers are on the net with default passwords - half a mil.
The government could also set up incentives and rewards for white-hat hackers who find vulnerabilities. If 1/10 of the potential fine goes to the white-hat hacker who discovers it, security practices would come into line very quickly. Perhaps with a cap of $50,000: enough for incentive to the hacker and the company, but not enough to affect the business.
(... tempered by common sense. The company can argue that a different action is just as secure as "best practice" - but this should be done in court as response to a data breach investigation. Also, security breaches which are the result of something not covered by "best practices" are exempt.)
Government can tweak and tune things for the betterment of society, but it has to be structured in the manner of game theory. People have to want to follow procedures.
Make up their damned mind. (Score:4, Insightful)
Do I secure my network or backdoor it to comply with the demans of the Surveillance State?
Re:Incentives (Score:2, Insightful)
Oh, I see. You want to monetize security breaches and have the government provide price supports, sort of like the DEA does with drugs.
Then a whole army of bureaucrats and police will be created to make sure security breaches remain a profit center for their continued existence.
That will solve the problem!