Cybersecurity and the Internet Economy 32
Orome1 writes "Global online transactions are currently estimated by industry analysts at $10 trillion annually. As Internet business grows, so has the threat of cybersecurity attacks. The U.S. Department of Commerce today released a report that proposes voluntary codes of conduct to strengthen the cybersecurity of companies that increasingly rely on the Internet to do business, but are not part of the critical infrastructure sector. Commerce Secretary Gary Locke said: 'By increasing the adoption of standards and best practices, we are working with the private sector to promote innovation and business growth, while at the same time better protecting companies and consumers from hackers and cyber theft.'"
Good 4 consumers, AND business! (Score:2, Interesting)
And, about time! I can see this working out for businesses that comply, because it's a note of confidence to those that do business w/ said business, and good "P.R. image" too! Sort of like Sarbannes Oxley, &/or ISO standards, but imo, this is more effective (especially for online commerce).
Thoughts?
APK
P.S.=> This could also work out for more IT related employment, for us "geeks/nerds" out there as well... bonus!
... apk
Re: (Score:2)
Sarbanes Oxley compliance != security.
SOX has made SAN makers rich due to having to store E-mail for a long amount of time (50 years if you have anything to do with aerospace).
It also has pushed out F/OSS solutions because without "due diligence" (which means products need FIPS certifications, Common Criteria, yadda, yadda, pretty tags that require a lot of money to pay an independent testing lab to get approved), people might see prison time.
That is if the law is enforced... AFAIK, HIPAA was enforced once.
Re: (Score:2)
It also has pushed out F/OSS solutions because without "due diligence" (which means products need FIPS certifications, Common Criteria, yadda, yadda, pretty tags that require a lot of money to pay an independent testing lab to get approved), people might see prison time.
Except that there are free software systems that have FIPS and CC certifications -- RHEL certainly comes to mind (no surprises there, considering who their customers are).
Re: (Score:2)
PCI-DSS.
It already renders this action late and irrelevant.
And the compliance it mandates is - for the better part - excellent, prescriptive security configuration advice.
Re: (Score:2)
Pee Dee Eff Source Report. (Score:3)
Re: (Score:3)
Re: (Score:1)
Re: (Score:1)
Try copypasting the PDF to cybercybercyber.txt, and then running:
cat cybercybercyber.txt | tr 'A-Z' 'a-z' | tr '\n\r' ' ' | grep -o 'cyber...[^ ]*[a-z]' | sort | uniq -c | sort --reverse
The top cyberbuzzwords are:
227 cybersecurity
15 cyberinsurance
14 cyberspace
10 cyber attacks
The article uses the following very annoying, and rather stupid phrases/words:
cyber attack,
cyber breach
cyber crime,
cyber defense,
cyber economics,
cyber ecosystem,
cyber hygiene
cyber incidents,
cyber insurance,
cyber insurers
cyber intrusion
Re:Crack some heads. (Score:5, Insightful)
We already had that. Operation Sun Devil.
Result: The US is very hard pressed to find any true blackhats to work for them, while China considers them the same as front line infantry or artillery troops, and pays them very well. Russia, same.
If we had another hacker pogrom, the people that would get scooped up wouldn't be the true people causing the breaches at SCEA, SOE, or other places. Those guys are clued enough to use compromised machines on Joe Sixpack's coffee table, or offshore sites.
The people picked up would be people in the iPhone Dev Team, the ROM modders at XDA Developers, and others like that... low hanging fruit that are not doing anything against the law, but are interfering with profits or the will of a CEO somewhere.
what a generic comment (Score:2)
Commerce Secretary Gary Locke said: 'By increasing the adoption of standards and best practices, we are working with the private sector to promote innovation and business growth, while at the same time better protecting companies and consumers from [INSERT SUBJECT HERE]'."
Re: (Score:3)
Problem solved.
Until there is a strong financial incentive to implement practices that work to reduce security breaches, this will not ever be fixed.
Re: (Score:2)
You hit the nail on the head. Companies look at security and see that it costs money with no benefit other than preventing something that might happen. Even when that thing does happen they will just say they are a victim of crime and don't we already pay the police/FBI via taxes so why would we need insurance?
I agree that financial penalties mandated by law are the way to get security taken seriously, but it would be nice if consumers started to react too. How many people decided to delete their PSN accoun
Only voluntary for a few days .. (Score:2)
Interesting definition of voluntary. Once you wade through 22 pages or fluff, you find (in the middle of the page numbered 12):
"These voluntary codes of conduct, developed through multi-stakeholder processes.. Once these codes have been developed to and companies have committed to follow them, relevant law enforcement agencies, such as Federal Trade Commission (FTC) and State Attorneys General, could enforce them, .."
[Next page]
"The FTC's role in challenging both deceptive and unfair acts or practices in th
Re: (Score:1)
Re: (Score:3)
I just find it a bit hypocritical to say voluntary when they intend to use force.
We have a mess. The right laws may help, but, the wrong ones will make it a lot worse.
Personally, I think the government's best contribution would be to provide central coordination. Here's two examples:
1) They could provide a central clearinghouse for attack information. My institution is attacked hundreds of times a day. Thousands if you count the Confickers. Every day we collect lists of attacking computers. Just by ourselve