What A Sarbanes-Oxley For Computer Security Might Look Like
from the bad-ideas dept
One problem with all of the constant talk about data breaches, phishing and identity theft is that it definitely has the potential to induce some shortsighted legislation in hopes that it will make the problem go away. Some have even said that nothing will happen on the legislative front until we see some sort of
"digital Enron" that forces politicians into action. Of course, the actual Enron resulted in the
much-lamented Sarbanes-Oxley, which stands as evidence that sweeping laws shouldn't be made in haste, during times of crisis. It's not clear whether or not we've had our "digital Enron" yet , but already some pundits are putting forth their ideas for a digital Sarbanes-Oxley. Ira Winkler at Computerworld argues that Congress should mandate ISP liability for malicious traffic on their networks, something which we've argued many times is a bad idea, since it's an approach that goes after the wrong party. But this is just the beginning. In addition to placing liability on ISPs, he says that individual computer users should be held liable if they fail to keep their computer secure, and it becomes part of a botnet. It's really hard to know where to start with that idea, other than to say that it again goes after the wrong party, and it could really discourage the average person from ever wanting to go online. His final suggestion is that Congress pass a law that makes security software better. He doesn't really offer anything concrete on this point, which is not surprising, because it's really out of the realm of what Congress can do. Simply legislating that something be made better will only increase the costs of making it, and reduce its availability. Seeing as the government can't even pass effective laws against spam, anything that it does in the area of identity theft or computer security should be viewed suspiciously. Fortunately, this particular proposal seems so extreme, it's hard to imagine it going anywhere. It's also interesting to note that this is the second thing we've seen today from Computerworld that calls for more government involvement in tech issues. Sounds like they could use some more skepticism about the government's ability to solve these problems.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Reader Comments
Subscribe: RSS
View by: Time | Thread
ummm...
[ link to this | view in chronology ]
Hey PhysicsGuy
Your comment seems to lean WAY more towards believing that this is a mistaken interpretation of the article, but those fools over at CW aren't joking in the least. Not some parodied sham to point out how flawed Sarbanes-Oxley is or point out how idiotic any similar legislation concerning the web would be. They honestly believe that shit.
And, PhysicsGuy, that extra second you spent getting snarky on spelling would have been better spent RTFA, you tard
[ link to this | view in chronology ]
Fewer idiots on the 'net?.... sign me up.
We tend to think of it as the children's playground on the not-so-nice side of town. Children shouldn't be left to go play on their own without either (a) competent supervision or (b) some means to defend themselves in case of trouble.
That being said, where do we draw the line? What are the minimum requirements for getting online? A two-week training course? Mandatory software/utilities? To be honest, I don't know.
I do like the idea of requiring better software though, even as a developer myself. I just finished taking a 3-day training course on ASP.Net and the instructor took time out to show us how the samples provided could have been written better (actually, his words were more like "never ever ever ever write code like this - it's just bad"). We spent an entire day working on how to secure a site and security considerations. In the end, I think a big part of improving computer security will fall to the developers and we need the training. Perhaps the place to start is the colleges and universities by making security considerations a required minor for all developers....
Unfortunately, I don't have the answers... just a lot of half-baked ideas. I do what I can to protect myself, teach my family and friends to protect themselves and help people in distress where I can. I just wish there less "novice" users and more "competent" users.
[ link to this | view in chronology ]
More laws = money consulting money
Writing computer articles is like writing books, mostly a really big and heavy business card to be used in getting lucrative contracts.
Contracts like... a never ending stream of audits that have to be performed to be in governmental compliance.
I guess not enough people are becoming ISO compliant anymore and maybe people have figured out that SoX doesnt apply to their computer systems and so arent wasting as much money there?
[ link to this | view in chronology ]
People Please
[ link to this | view in chronology ]
[ link to this | view in chronology ]
If you can't beat them.....
[ link to this | view in chronology ]
Organization after organization has been forced to announce security. The security industry touts the latest vulnerability to hype their sales and some companies run out to buy the latest technology to “protect” themselves and their customers. Months go by and then the next attack is announced, usually bigger than the previous announcement. Technology is not the only answer, it will not solve the problem alone, and it will not secure our nations critical information structure.
The key is that companies need to ensure that their employees, suppliers and customers can't get themselves in trouble. The computerworld article puts the blame on the provider of the technology, and thats probably good. It should be their responsibility to provide safe products and networks. Ford is responsible for producing safe cars, Pfizer safe drugs, doctors good treatement. When that doesn't happen, they face liability. Why should technology providers be any different?
[ link to this | view in chronology ]
What does this have to do with SOX?
Digital-Enron? Just because Enron was one of the flames the sparked SOX doesn't mean the digital-Enron concept has any connection to SOX what so ever. I have yet to read a good criticism of SOX from techdirt, which is disappointing because so much else is decent.
Drumming up quotes from executives who complain about having to conform to SOX doesn't count for much unless you can explain exactly how it "hinders" them from doing their jobs, and doesn't actually increase accountability, tracking, monitoring, and independence of corporation financial statements. How you can relate SOX to bad computer security is beyond me, and I'd appreciate if you could connect the dots more for me.
[ link to this | view in chronology ]
The bottom bottom line
Oh, and please concentrate on the content rather than the spelling; grasping the idea is the priority.
[ link to this | view in chronology ]
SarbOx for secuity ever heard of HIPAA? it has a
As published in the Federal Register on February 20, 2003...
http://www.cms.hhs.gov/SecurityStandard/Downloads/securityfinalrule.pdf
see also
http://www.securityfocus.com/infocus/1764
http://www.hipaadvisory.com/regs/finalsecurity
htt p://csrc.nist.gov/publications/nistpubs/800-66/SP800-66.pdf
[ link to this | view in chronology ]