White House Tackling the Economics of Cybersecurity 47
GovTechGuy writes "White House Cybersecurity czar Howard Schmidt will be hosting a meeting Wednesday with the Secretaries of DHS and Commerce in which he is expected to discuss the administration's new attempt to change the economic incentives surrounding cybersecurity. Right now, launching attacks on private companies is so cheap and relatively risk-free that there's almost no way that industry can win. The White House could be considering things like tax incentives, liability and insurance breaks, and other steps to try and get companies to invest in protecting their networks. It's also likely to dovetail with a step up in enforcement, so hackers be wary."
Right (Score:5, Insightful)
Anything with the word cyber in it is automatically bullshit as far as I'm concerned, so lets dig a little deeper. Who is coming to this meeting?
Among those invited is Larry Clinton, president of the Internet Security Alliance, which represents a range of critical private security industries concerned about cybersecurity.
Ah, the Internet Security Alliance. And who do they represent? No major software or hardware companies are listed. [avectra.com] (Symantec doesn't count) Funny enough, I see companies like Raytheon, Boeing, and Lockheed Martin. I'm just speculating (you know, this being /. and all), but something tells me the good ol' boys of the defense industry are trying to get another gravy train started up here.
Re:fix the banks (Score:5, Insightful)
ZOMG MARK OF THE BEAST MARK OF THE BEAST!!!1!!
Seriously, do you know how many tin foil hatters would scream bloody murder if the government even tried something like that?
Simpler Fix (Score:4, Insightful)
Require banks to pay for every single breach that is their fault. Right now, it's the merchants who get screwed. If someone walks into one of the retail outlets I consult for with a fake ID, matching fake credit card, and walks out with the merchandise, 9 times out of 10 there is some obscure rule that wasn't followed that will allow the cardholder to get their money back, and the bank to get their money back, leaving the merchant with the option to take cash only or take the hit and continue doing business. "Cybercrime" -- or as I like to call it, 21st Century Crime -- only gets worse from here.
This is free market capitalism at it's finest, where the costs always find their way to the entity with enough money to pay the bill, but not enough to fight the system that forces them to pay. Unfortunately, the government not giving two shits about small businesses has been old news for some time. Hopefully people are going to wise up and realize that you don't do away with the government, just the lobbyists and corporate revolving door that is currently ruining it.
Re:Incentivizing Good Behavior (Score:3, Insightful)
Sure, on the side of the people doing the security stuff. But audits for compliance with regulations is really the minimal standard applied at my work -- a VERY large software company -- and little else. If there's no financial repercussion for lack of a security implementation, that thing is never, ever put in. Not even if it's "best practice". If we have to have it, good, put it in, but if we don't absolutely have to, the security request rots forever in the hell of a planned upgrade some day.
We recently had a project that was like that. Five planned phases. Phases three and four had a major focus on security implementations. Well, they did Phase 1, the rollout, and Phase 2, the integration with other apps, then the next thing everybody heard we were at Phase 5, showing this off as a showpiece of integration. When I called the vice-president to complain about this, his response was basically "we'll get around to it, it's not a problem."
Welcome to modern large-scale software design. If you aren't legally required to have some certain bit of security in place, with financial repercussions for violation, it isn't happening. And it's not the software company that suffers in the case of a breach; it's the privacy and security of the innocent people USING that service.
Re:Insurance? (Score:4, Insightful)
I wasn't suggesting that - but it seems like we're paying people to try and lock their door, I don't remember any Tax break for putting locks on my door, even if my house was filled with other people's personal info.
So, if an Insurance company won't insure someone because they don't put forth the effort to show they even want their stuff protected, why should Tax payer dollars support people who never cared to protect it in the first place?
As an optional incentive, it seems pointless. Corporations will claim they set up security in order to save on taxes.
Leave it to the Market (Score:1, Insightful)
If companies were at risk of "cyber-attack", they'd take appropriate precautions. If they're not at risk, they wont; it's a waste of money.
If it was feasable to attack corporations for profit, people would be doing it. if it's not, they wont try.
"Right now, launching attacks on private companies is so cheap and relatively risk-free that there's almost no way that industry can win" ... and yet, it's business as usual.
If that were true, then companies would be getting ransacked right now.
The market forces are in balance. Therefore; corporations already have the appropriate level of security.
Just an excuse for more government controll.