[HN Gopher] U.S. Senate to probe whether legislation needed to c... ___________________________________________________________________ U.S. Senate to probe whether legislation needed to combat cyber attacks Author : ArkanExplorer Score : 28 points Date : 2021-06-10 20:45 UTC (2 hours ago) (HTM) web link (www.reuters.com) (TXT) w3m dump (www.reuters.com) | mikewarot wrote: | Legislation is required to reverse the posture of the NSA from | offense to defense. Nothing else will help until that is done. | jnwatson wrote: | NSA's posture has been both for at least twenty years. They | have separate divisions and everything. | smolder wrote: | The issue of course is that their missions are out of | alignment with respect to fixing vulnerabilities, and we've | seen red team capabilities prioritised such that harm came to | the vulnerable. Generally, defending an intentionally | security-impaired infrastructure is going to be a lot of | additional, probably costly work. | idiotsecant wrote: | Offense is much more appealing and also much simpler, | unfortunately. | rafale wrote: | Mandatory bug bounty programs with a minimum 1k payout. Open to | US residents and foreigners alike. | jjcm wrote: | At what level of scale? Is this for all businesses, including | my weekend startup? What qualifies for a bug? | | You could likely do this for any publicly traded company, but | the qualifiers for what constitutes a bug would take some time | to define. | akomtu wrote: | Translating to plain language: bureocrats are evaluating the | possibility to ban encryption and cryptocurrencies under the veil | of combating cyber attacks. | sida wrote: | I mean cryptocurrency is indeed what made ransomware possible. | convolvatron wrote: | reverse the terrible ITAR legacy | | fund foundational security and mandate its use by government | agencies and suppliers | e40 wrote: | > foundational security | | Can you tell us what that means? | mikewarot wrote: | I suspect the Bell-LaPadula model would be part of it | | https://en.wikipedia.org/wiki/Bell%E2%80%93LaPadula_model | | Much research was funded, and solutions were found long, long | ago, to many of our current "problems". | PeterHolzwarth wrote: | An unconventional approach could be to make it a severely | penalized, strictly enforced, federal crime to pay ransom. | | (Of course, a year or so pre-warning of this kind of law would be | required to allow for companies to lock their data down.) | hpoe wrote: | All you get at that point is the right people using it to | prosecute the honest people. | bpodgursky wrote: | I think it would just give CEOs who want to do the right | thing (and not pay) legal cover to tell the board of | directors "Nope, not paying -- the company is going to be | shut down for a month. Deal with it, I'm not going to jail." | MeinBlutIstBlau wrote: | It's mind boggling that the government needs to require this. | What bureaucrat is refusing some IT person from requesting the | funds doing this? | handrous wrote: | It's very hard to get raises or promotions on all the bad | things that would have happened, had your actions not entirely | prevented them. Much better to devote those resources to new | initiatives or "transformations" or whatever, ideally ones that | can be tied directly to higher revenue, while doing just enough | about security that you can't be accused of being unusually lax | if something goes wrong (and since all your peers are very lax, | for the same reasons, this isn't much). | elliekelly wrote: | It's not cyber security but a few years ago I had to _beg_ a | financial institution for automatic encryption of outbound | messages that contained possible PII. That's not even terribly | difficult or expensive to implement anymore. But, lest they | "inconvenience" clients and relationship managers, one board | member suggested a compromise: use a watermark "in an automated | fashion" on emails so if a bad actor intercepted the message | and posted it online we'd know who was to blame. | | Shortly after that we implemented a mandatory cybersecurity | training for the board because it was quite clear they were | completely fucking clueless, to put it mildly. | artful-hacker wrote: | Literally all of them. Security is a cost center, and non | bureaucrats salaries are minimized as much as possible until | you are left with "warm body to fill chair". Even the NSA | doesn't pay well, compared to private sector. | milkytron wrote: | The gap between the security and defense seems to be becoming | smaller. If some of the defense budget was put towards cyber | defense, I bet we could see some drastic improvements. | MeinBlutIstBlau wrote: | I'm wholly aware the private sector pays better, but in the | grand scheme of pay/average citizen, they still make decent | salaries. In that regard, why is upper management ignoring IT | security at a base-line level of at least rotating backups? | Like even that is pretty cheap and you can revert systems | back within a day or two with a few days of lost work. Nobody | is saying have a top tier security team. | hn8788 wrote: | I was on a temporary pentesting contract at a Fortune 500 | company, and the reason for ignoring security came down to | cost. Our contact in their IT department said that when | they were trying to get the budget to fix their | longstanding security issues, they were told that it's | cheaper to accept occasionally getting hacked than it is to | fix things. They said that public relations people at big | companies had pushed the "the bad guys attacked us, it | could have happened to anyone" narrative so well that | besides a few day dip in stock prices, there would be no | negative financial impact on the company. The average | person thinks of getting hacked like being robbed at | gunpoint, where it can happen to anyone through no fault of | their own. | jnwatson wrote: | In terms of dollars and cents that makes complete sense. | | Real security is extraordinarily expensive. Very rarely | is that compatible with shareholder value. | ForHackernews wrote: | > Even the NSA doesn't pay well, compared to private sector. | | On the other hand, I bet it's pretty fun working for the NSA: | https://en.wikipedia.org/wiki/NOBUS | pyuser583 wrote: | From what little I've heard, the NSA is not different from | other public sector work. | russian-hacker wrote: | https://en.wikipedia.org/wiki/Manufacturing_Consent | rdxm wrote: | lol.......i'm trying to figure out how the onion spoofed | Reuters..... | Ericson2314 wrote: | I am always worried non-programmers don't sufficiently understand | how pathetic it is that we limp along with bloated Unix and other | accidents of history that were never retired. And this lassies- | fair approach to cleanliness and reducing complexity _both_ makes | us more vulnerable _and_ less productive. | AnimalMuppet wrote: | Why single out Unix and not, you know, _Windows_? | AnIdiotOnTheNet wrote: | Because most IT infrastructure is based on some form of Unix? | | Linux fans really like to play up the "Windows is so | insecure!" rhetoric, but it isn't really true. Linux and the | common systems implemented on it, for instance, have had | plenty of vulnerabilities. Windows gets an especially bad rap | pretty much only because it is the most common Desktop OS, | but Desktop Windows and Desktop Linux have the same giant | gaping security problem: the human being using them. | AnimalMuppet wrote: | Everything you say is true, but that wasn't my point. The | OP said | | > ... how pathetic it is that we limp along with bloated | Unix and other accidents of history that were never | retired. | | So, why single out Unix? Is Unix more bloated than Windows? | I doubt it. Is it more of an accident of history than | Windows? No. Is it _more_ in need of being retired than | Windows? I think it would take someone with an axe to grind | to say so. | | And that's what my comment was about: Trying to expose that | axe being ground. | eplanit wrote: | Exactly -- Windows is the biggest vector for malware, by | orders of magnitude. ___________________________________________________________________ (page generated 2021-06-10 23:00 UTC)