What A Sarbanes-Oxley For Computer Security Might Look Like

from the bad-ideas dept

Thu, Feb 1st 2007 3:52pm — Joseph Weisenthal

One problem with all of the constant talk about data breaches, phishing and identity theft is that it definitely has the potential to induce some shortsighted legislation in hopes that it will make the problem go away. Some have even said that nothing will happen on the legislative front until we see some sort of "digital Enron" that forces politicians into action. Of course, the actual Enron resulted in the much-lamented Sarbanes-Oxley, which stands as evidence that sweeping laws shouldn't be made in haste, during times of crisis. It's not clear whether or not we've had our "digital Enron" yet , but already some pundits are putting forth their ideas for a digital Sarbanes-Oxley. Ira Winkler at Computerworld argues that Congress should mandate ISP liability for malicious traffic on their networks, something which we've argued many times is a bad idea, since it's an approach that goes after the wrong party. But this is just the beginning. In addition to placing liability on ISPs, he says that individual computer users should be held liable if they fail to keep their computer secure, and it becomes part of a botnet. It's really hard to know where to start with that idea, other than to say that it again goes after the wrong party, and it could really discourage the average person from ever wanting to go online. His final suggestion is that Congress pass a law that makes security software better. He doesn't really offer anything concrete on this point, which is not surprising, because it's really out of the realm of what Congress can do. Simply legislating that something be made better will only increase the costs of making it, and reduce its availability. Seeing as the government can't even pass effective laws against spam, anything that it does in the area of identity theft or computer security should be viewed suspiciously. Fortunately, this particular proposal seems so extreme, it's hard to imagine it going anywhere. It's also interesting to note that this is the second thing we've seen today from Computerworld that calls for more government involvement in tech issues. Sounds like they could use some more skepticism about the government's ability to solve these problems.

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

11 Comments

If you liked this post, you may also be interested in...

Reader Comments

Subscribe: RSS

View by: Time | Thread

PhysicsGuy, 1 Feb 2007 @ 4:09pm

ummm...
not having read the post at computerworld, judging from your overview of it, i'd have to say it's a farce, a sham, a joke, a facetious attempt to shift the Sarbanes-Oxley to the digital realm. yet, somehow, you seem to be commenting on each claim as if it's meant to be taken seriously. this confuses me. either they're serious, or you're extremely dense. also, typo in the second to last lines. we're not in kansas anymore, nor are we on oz, so there's no tin tech... :P
[ link to this | view in chronology ]
vapiddreamer, 1 Feb 2007 @ 5:58pm

Hey PhysicsGuy
Another perfect example of why one should forgo commenting unless they RTFA, you turd.
Your comment seems to lean WAY more towards believing that this is a mistaken interpretation of the article, but those fools over at CW aren't joking in the least. Not some parodied sham to point out how flawed Sarbanes-Oxley is or point out how idiotic any similar legislation concerning the web would be. They honestly believe that shit.

And, PhysicsGuy, that extra second you spent getting snarky on spelling would have been better spent RTFA, you tard
[ link to this | view in chronology ]
Software Developer, 1 Feb 2007 @ 6:04pm

Fewer idiots on the 'net?.... sign me up.
Poor attempts at humor aside, many of my tech friends and I often lament the number of "novice" users on the Internet. While I realize it's a pretty attractive playground, it can also be very dangerous. People need to be aware of that and take appropriate steps.

We tend to think of it as the children's playground on the not-so-nice side of town. Children shouldn't be left to go play on their own without either (a) competent supervision or (b) some means to defend themselves in case of trouble.

That being said, where do we draw the line? What are the minimum requirements for getting online? A two-week training course? Mandatory software/utilities? To be honest, I don't know.

I do like the idea of requiring better software though, even as a developer myself. I just finished taking a 3-day training course on ASP.Net and the instructor took time out to show us how the samples provided could have been written better (actually, his words were more like "never ever ever ever write code like this - it's just bad"). We spent an entire day working on how to secure a site and security considerations. In the end, I think a big part of improving computer security will fall to the developers and we need the training. Perhaps the place to start is the colleges and universities by making security considerations a required minor for all developers....

Unfortunately, I don't have the answers... just a lot of half-baked ideas. I do what I can to protect myself, teach my family and friends to protect themselves and help people in distress where I can. I just wish there less "novice" users and more "competent" users.
[ link to this | view in chronology ]
g, 1 Feb 2007 @ 6:56pm

More laws = money consulting money
No surprise someone who writes computer articles wants this, since writing computer articles doesnt pay the bills.

Writing computer articles is like writing books, mostly a really big and heavy business card to be used in getting lucrative contracts.

Contracts like... a never ending stream of audits that have to be performed to be in governmental compliance.

I guess not enough people are becoming ISO compliant anymore and maybe people have figured out that SoX doesnt apply to their computer systems and so arent wasting as much money there?
[ link to this | view in chronology ]
DVD_PIRATE, 1 Feb 2007 @ 7:28pm

People Please
What it all boils down to is this: Do we want "Big Brother" regulating absolutely everything that we do, or do we want to regulate ourselves? Why don't we develop an consortium to track down the "spammers", "phishers", and general malcontents and use the technology we have to make them wish that they had never heard of, nor attempted such foolishness on innocents. If any person can be considered innocent, that is. Bitching and moaning and waiting for the government to act is like waiting for doomsday, it'll come, we just don't know when nor what will happen.
[ link to this | view in chronology ]
hoeppner, 1 Feb 2007 @ 7:34pm

would choice point be our digital enron? or is it just a good example of why people need to have more rights over their person information, and why big databases are bad?
[ link to this | view in chronology ]
Raging_Looney, 1 Feb 2007 @ 9:46pm

If you can't beat them.....
The sad thing is I'm starting to wish instead of a career in IT I had chosen accounting or Law. But since I tend not to like many of the former breed I chose to do what I do with computers. But now the audits, the seagull consultants, the business process analysts that are reaping those large consulting fees that sap the energy out of most IT shops may have brought me to the edge. I may just have to join the dark side, jump on the SAS70 bandwagon, and begin to spread FUD in the name of safety, or someones version of what passes for it. I just have to lobby for laws that will force almost any business to pay me exorbitant fees to check a few boxes on the audit form that was pulled out of the last box of crackerjacks by the head of Arthur Anderson just before he failed his last audit. Don't they give those audit forms out when you sell your soul to the bean counters? I can double my salary and run up huge expense accounts. Ah the life. Is it just me, or does it look like much of the competitive advantage of any business that is carried by those that do rather than those that watch is being eroded? I guess that's one way to bring the $$ back to Europe/America from the outsource industry, charge admission to the playing field with an audit tax.
[ link to this | view in chronology ]
Patrick Mullen, 2 Feb 2007 @ 8:17am

Those that think that technology can solve all of the security issues has already lost the game.

Organization after organization has been forced to announce security. The security industry touts the latest vulnerability to hype their sales and some companies run out to buy the latest technology to “protect” themselves and their customers. Months go by and then the next attack is announced, usually bigger than the previous announcement. Technology is not the only answer, it will not solve the problem alone, and it will not secure our nations critical information structure.

The key is that companies need to ensure that their employees, suppliers and customers can't get themselves in trouble. The computerworld article puts the blame on the provider of the technology, and thats probably good. It should be their responsibility to provide safe products and networks. Ford is responsible for producing safe cars, Pfizer safe drugs, doctors good treatement. When that doesn't happen, they face liability. Why should technology providers be any different?
[ link to this | view in chronology ]
MyNameIsMatt, 2 Feb 2007 @ 12:48pm

What does this have to do with SOX?
I agree with your conclusions that what this author proposes aren't such great ideas, but this sideways attack on SOX is completely off base.

Digital-Enron? Just because Enron was one of the flames the sparked SOX doesn't mean the digital-Enron concept has any connection to SOX what so ever. I have yet to read a good criticism of SOX from techdirt, which is disappointing because so much else is decent.

Drumming up quotes from executives who complain about having to conform to SOX doesn't count for much unless you can explain exactly how it "hinders" them from doing their jobs, and doesn't actually increase accountability, tracking, monitoring, and independence of corporation financial statements. How you can relate SOX to bad computer security is beyond me, and I'd appreciate if you could connect the dots more for me.
[ link to this | view in chronology ]
Steve Miller, 2 Feb 2007 @ 12:58pm

The bottom bottom line
As long as humans exist, we have non-secure conditions. If we flood the arena with security, productivity ceases. If we have no security, we have chaos. If we have the perfect mix of security so as not to stifle productivity, we have humans fijnding ways around the security. This is the conundrum of the times. Legislation will not change any of this.
Oh, and please concentrate on the content rather than the spelling; grasping the idea is the priority.
[ link to this | view in chronology ]
GUEST, 4 Feb 2007 @ 3:16pm

SarbOx for secuity ever heard of HIPAA? it has a
if you want to see how well legislated Information Security works, or doesn't, look toward the HIPAA security standard.

As published in the Federal Register on February 20, 2003...
http://www.cms.hhs.gov/SecurityStandard/Downloads/securityfinalrule.pdf

see also
http://www.securityfocus.com/infocus/1764
http://www.hipaadvisory.com/regs/finalsecurity
htt p://csrc.nist.gov/publications/nistpubs/800-66/SP800-66.pdf
[ link to this | view in chronology ]