[HN Gopher] U.S. Senate to probe whether legislation needed to c...
___________________________________________________________________
U.S. Senate to probe whether legislation needed to combat cyber
attacks
Author : ArkanExplorer
Score : 28 points
Date : 2021-06-10 20:45 UTC (2 hours ago)
(HTM) web link (www.reuters.com)
(TXT) w3m dump (www.reuters.com)
| mikewarot wrote:
| Legislation is required to reverse the posture of the NSA from
| offense to defense. Nothing else will help until that is done.
| jnwatson wrote:
| NSA's posture has been both for at least twenty years. They
| have separate divisions and everything.
| smolder wrote:
| The issue of course is that their missions are out of
| alignment with respect to fixing vulnerabilities, and we've
| seen red team capabilities prioritised such that harm came to
| the vulnerable. Generally, defending an intentionally
| security-impaired infrastructure is going to be a lot of
| additional, probably costly work.
| idiotsecant wrote:
| Offense is much more appealing and also much simpler,
| unfortunately.
| rafale wrote:
| Mandatory bug bounty programs with a minimum 1k payout. Open to
| US residents and foreigners alike.
| jjcm wrote:
| At what level of scale? Is this for all businesses, including
| my weekend startup? What qualifies for a bug?
|
| You could likely do this for any publicly traded company, but
| the qualifiers for what constitutes a bug would take some time
| to define.
| akomtu wrote:
| Translating to plain language: bureocrats are evaluating the
| possibility to ban encryption and cryptocurrencies under the veil
| of combating cyber attacks.
| sida wrote:
| I mean cryptocurrency is indeed what made ransomware possible.
| convolvatron wrote:
| reverse the terrible ITAR legacy
|
| fund foundational security and mandate its use by government
| agencies and suppliers
| e40 wrote:
| > foundational security
|
| Can you tell us what that means?
| mikewarot wrote:
| I suspect the Bell-LaPadula model would be part of it
|
| https://en.wikipedia.org/wiki/Bell%E2%80%93LaPadula_model
|
| Much research was funded, and solutions were found long, long
| ago, to many of our current "problems".
| PeterHolzwarth wrote:
| An unconventional approach could be to make it a severely
| penalized, strictly enforced, federal crime to pay ransom.
|
| (Of course, a year or so pre-warning of this kind of law would be
| required to allow for companies to lock their data down.)
| hpoe wrote:
| All you get at that point is the right people using it to
| prosecute the honest people.
| bpodgursky wrote:
| I think it would just give CEOs who want to do the right
| thing (and not pay) legal cover to tell the board of
| directors "Nope, not paying -- the company is going to be
| shut down for a month. Deal with it, I'm not going to jail."
| MeinBlutIstBlau wrote:
| It's mind boggling that the government needs to require this.
| What bureaucrat is refusing some IT person from requesting the
| funds doing this?
| handrous wrote:
| It's very hard to get raises or promotions on all the bad
| things that would have happened, had your actions not entirely
| prevented them. Much better to devote those resources to new
| initiatives or "transformations" or whatever, ideally ones that
| can be tied directly to higher revenue, while doing just enough
| about security that you can't be accused of being unusually lax
| if something goes wrong (and since all your peers are very lax,
| for the same reasons, this isn't much).
| elliekelly wrote:
| It's not cyber security but a few years ago I had to _beg_ a
| financial institution for automatic encryption of outbound
| messages that contained possible PII. That's not even terribly
| difficult or expensive to implement anymore. But, lest they
| "inconvenience" clients and relationship managers, one board
| member suggested a compromise: use a watermark "in an automated
| fashion" on emails so if a bad actor intercepted the message
| and posted it online we'd know who was to blame.
|
| Shortly after that we implemented a mandatory cybersecurity
| training for the board because it was quite clear they were
| completely fucking clueless, to put it mildly.
| artful-hacker wrote:
| Literally all of them. Security is a cost center, and non
| bureaucrats salaries are minimized as much as possible until
| you are left with "warm body to fill chair". Even the NSA
| doesn't pay well, compared to private sector.
| milkytron wrote:
| The gap between the security and defense seems to be becoming
| smaller. If some of the defense budget was put towards cyber
| defense, I bet we could see some drastic improvements.
| MeinBlutIstBlau wrote:
| I'm wholly aware the private sector pays better, but in the
| grand scheme of pay/average citizen, they still make decent
| salaries. In that regard, why is upper management ignoring IT
| security at a base-line level of at least rotating backups?
| Like even that is pretty cheap and you can revert systems
| back within a day or two with a few days of lost work. Nobody
| is saying have a top tier security team.
| hn8788 wrote:
| I was on a temporary pentesting contract at a Fortune 500
| company, and the reason for ignoring security came down to
| cost. Our contact in their IT department said that when
| they were trying to get the budget to fix their
| longstanding security issues, they were told that it's
| cheaper to accept occasionally getting hacked than it is to
| fix things. They said that public relations people at big
| companies had pushed the "the bad guys attacked us, it
| could have happened to anyone" narrative so well that
| besides a few day dip in stock prices, there would be no
| negative financial impact on the company. The average
| person thinks of getting hacked like being robbed at
| gunpoint, where it can happen to anyone through no fault of
| their own.
| jnwatson wrote:
| In terms of dollars and cents that makes complete sense.
|
| Real security is extraordinarily expensive. Very rarely
| is that compatible with shareholder value.
| ForHackernews wrote:
| > Even the NSA doesn't pay well, compared to private sector.
|
| On the other hand, I bet it's pretty fun working for the NSA:
| https://en.wikipedia.org/wiki/NOBUS
| pyuser583 wrote:
| From what little I've heard, the NSA is not different from
| other public sector work.
| russian-hacker wrote:
| https://en.wikipedia.org/wiki/Manufacturing_Consent
| rdxm wrote:
| lol.......i'm trying to figure out how the onion spoofed
| Reuters.....
| Ericson2314 wrote:
| I am always worried non-programmers don't sufficiently understand
| how pathetic it is that we limp along with bloated Unix and other
| accidents of history that were never retired. And this lassies-
| fair approach to cleanliness and reducing complexity _both_ makes
| us more vulnerable _and_ less productive.
| AnimalMuppet wrote:
| Why single out Unix and not, you know, _Windows_?
| AnIdiotOnTheNet wrote:
| Because most IT infrastructure is based on some form of Unix?
|
| Linux fans really like to play up the "Windows is so
| insecure!" rhetoric, but it isn't really true. Linux and the
| common systems implemented on it, for instance, have had
| plenty of vulnerabilities. Windows gets an especially bad rap
| pretty much only because it is the most common Desktop OS,
| but Desktop Windows and Desktop Linux have the same giant
| gaping security problem: the human being using them.
| AnimalMuppet wrote:
| Everything you say is true, but that wasn't my point. The
| OP said
|
| > ... how pathetic it is that we limp along with bloated
| Unix and other accidents of history that were never
| retired.
|
| So, why single out Unix? Is Unix more bloated than Windows?
| I doubt it. Is it more of an accident of history than
| Windows? No. Is it _more_ in need of being retired than
| Windows? I think it would take someone with an axe to grind
| to say so.
|
| And that's what my comment was about: Trying to expose that
| axe being ground.
| eplanit wrote:
| Exactly -- Windows is the biggest vector for malware, by
| orders of magnitude.
___________________________________________________________________
(page generated 2021-06-10 23:00 UTC)