US Considers Law Requiring Companies to Report All Cyberattacks (politico.com) 102
The Colonial Pipeline cyberattack has spurred new efforts in the U.S. Congress "to require critical companies to tell the government when they've been hacked." Politico reports:
Even leading Republicans are expressing support for regulations after this week's chaos — a sharp change from past high-profile efforts that failed due to GOP opposition. The swift reaction from lawmakers reflects the disruptive impact of the ransomware attack on Colonial...
The vast majority of private companies don't have to report cyberattacks to any government entity — not even those, like Colonial, whose disruptions can wreak havoc on U.S. economic and national security. And often, they choose to keep quiet. That information gap leaves the rest of the country in the dark about how frequently such attacks occur and how they're perpetrated. It also leaves federal authorities without crucial information that could help protect other companies from similar attacks. Without reporting from companies, "the United States government is completely blind to what is happening," Brandon Wales, the acting director of DHS' Cybersecurity and Infrastructure Security Agency, told reporters on Thursday. "That just weakens our overall cyber posture across our entire country."
Wales said the solution was for Congress to require companies to report cyber incidents. Lawmakers of both parties told POLITICO they are crafting legislation to mandate cyberattack reporting by critical infrastructure operators such as Colonial, along with major IT service providers and any other companies that do business with the government. The planned legislation predates the pipeline attack — lawmakers began drafting it soon after learning about last year's massive SolarWinds espionage campaign, in which suspected Russian hackers infiltrated nine federal agencies and roughly 100 companies. But the Colonial strike has added urgency to the effort. The group expects to introduce the legislation within weeks, a Senate aide said. "You couldn't have a better reason" for such a mandate than seeing the economic impact of Colonial and SolarWinds, said Senate Intelligence Chair Mark Warner (D-Va.), one of the leaders of the legislation along with Republican Sen. Marco Rubio of Florida.
Warner said the intent is to provide a "public-private forum where, with appropriate immunity and confidentiality, you can — mid-incident — report, so we can make sure that it doesn't spread worse..." In the case of Colonial, CISA's Wales said the company did not provide the administration with technical information about the breach until Wednesday night — five days after it was reported — and even then the data was not comprehensive... Companies typically choose not to voluntarily share data with the government for legal and reputational reasons. They fear that the notoriously leak-prone government won't protect their information, leading to embarrassing and potentially actionable revelations.
Politico adds that "The incident reporting situation has become untenable, many cybersecurity experts say,"
"Nation-state hackers are using vulnerable companies as springboards into their customers and partners, and criminal groups are attacking hospitals, schools and energy companies in ways that, if reported, could be tracked and prevented elsewhere."
The vast majority of private companies don't have to report cyberattacks to any government entity — not even those, like Colonial, whose disruptions can wreak havoc on U.S. economic and national security. And often, they choose to keep quiet. That information gap leaves the rest of the country in the dark about how frequently such attacks occur and how they're perpetrated. It also leaves federal authorities without crucial information that could help protect other companies from similar attacks. Without reporting from companies, "the United States government is completely blind to what is happening," Brandon Wales, the acting director of DHS' Cybersecurity and Infrastructure Security Agency, told reporters on Thursday. "That just weakens our overall cyber posture across our entire country."
Wales said the solution was for Congress to require companies to report cyber incidents. Lawmakers of both parties told POLITICO they are crafting legislation to mandate cyberattack reporting by critical infrastructure operators such as Colonial, along with major IT service providers and any other companies that do business with the government. The planned legislation predates the pipeline attack — lawmakers began drafting it soon after learning about last year's massive SolarWinds espionage campaign, in which suspected Russian hackers infiltrated nine federal agencies and roughly 100 companies. But the Colonial strike has added urgency to the effort. The group expects to introduce the legislation within weeks, a Senate aide said. "You couldn't have a better reason" for such a mandate than seeing the economic impact of Colonial and SolarWinds, said Senate Intelligence Chair Mark Warner (D-Va.), one of the leaders of the legislation along with Republican Sen. Marco Rubio of Florida.
Warner said the intent is to provide a "public-private forum where, with appropriate immunity and confidentiality, you can — mid-incident — report, so we can make sure that it doesn't spread worse..." In the case of Colonial, CISA's Wales said the company did not provide the administration with technical information about the breach until Wednesday night — five days after it was reported — and even then the data was not comprehensive... Companies typically choose not to voluntarily share data with the government for legal and reputational reasons. They fear that the notoriously leak-prone government won't protect their information, leading to embarrassing and potentially actionable revelations.
Politico adds that "The incident reporting situation has become untenable, many cybersecurity experts say,"
"Nation-state hackers are using vulnerable companies as springboards into their customers and partners, and criminal groups are attacking hospitals, schools and energy companies in ways that, if reported, could be tracked and prevented elsewhere."
Amazing (Score:3, Funny)
Victims and witnesses to a felony have to report it now? It's almost like we're taking things seriously for the first time in my lifetime.
Re:Amazing (Score:4, Insightful)
Well, maybe... the companies that want to be secretive of being attacked may try to avoid the requirement by "not detecting" or creating doubts that anything happened --- often times attackers are covert, and may cause something that raises suspicion or alarm to go off, but if appropriate detection measures aren't in place, there may never be definitive evidence found to "prove to satisfaction of management" an attack occurred... Companies then write officially "no evidence found of compromise" (There may have been a compromise, but no definitive evidence of it surfaced.)
Now if the lawmakers would only mandate Taking adequate steps including monitoring and detection systems to help ensure reliable detection and investigation of successful or possible cyberattacks as well -- And make a required reporting category for suspected incidents, as well.
Re:Amazing (Score:5, Insightful)
When the FBI treats "failed cyber attack" as seriously as "failed bank robbery", we might see change. There is no point in monitoring and detection that works if the FBI won't treat an attack as a serious event.
Re: (Score:2, Interesting)
I've had hackers try to compromise my systems. I reported it to the FBI. The response was, "If you haven't been compromised, there is no case to open". When the FBI treats "failed cyber attack" as seriously as "failed bank robbery", we might see change. There is no point in monitoring and detection that works if the FBI won't treat an attack as a serious event.
Mandatory reportage of each and every failed cyberattack to the FBI would be like a DDOS on the FBI. Run wireshark and see who is trying to get into your computer. Warning - it can get a little disconcerting.
Re: (Score:1)
Re: (Score:2)
Mandatory reportage of each and every failed cyberattack to the FBI would be like a DDOS on the FBI. Run wireshark and see who is trying to get into your computer. Warning - it can get a little disconcerting.
For that matter, define a "failed attack".
A port-scan ? SSH-brute-force attacks ? Or does the attack officially start when a single credential is compromised ?
Re: (Score:2)
Mandatory reportage of each and every failed cyberattack to the FBI would be like a DDOS on the FBI. Run wireshark and see who is trying to get into your computer. Warning - it can get a little disconcerting.
For that matter, define a "failed attack".
A port-scan ? SSH-brute-force attacks ? Or does the attack officially start when a single credential is compromised ?
Well, we gotta figure that attacks start with the lowest level. So yeah, a port scan that is successful is finding out if a server is available for compromise. Someone scans my stuff, I consider that an attack - And if someone is "in the house" that isn't a failed attack any more. That's success.
Re: (Score:2)
A port-scan ? SSH-brute-force attacks ? Or does the attack officially start when a single credential is compromised ?
A port scan is not an attack - It's just like web spidering, a form of searching for what services have been opened and made publicly accessible on a host by sending messages, Unless it's so fast that it puts a strain on resources, then it's a DoS attack.
A SSH brute force repeatedly attempting multiple credentials is clearly an attack (Attempt to gain access) --- If it's just one or two
Re: (Score:1)
Re: (Score:1)
Re: (Score:2)
Re: (Score:2)
interesting, is there any examples of a business or corporation being charged with this?
Re: (Score:2)
They should have been reporting the whole time.
Should probably just send them firewall logs (Score:3)
Attempts to hack, or successful hacks?
If you're a company and nobody is trying to attack you, you're probably not a real company.
I was seeing hundreds if not thousands of attempts a month on a residential line.
Re: (Score:3)
That's one half of the problems with this sort of an idea for legislation. Other half is that since reporting on such an attack may have a very detrimental effect on market value of the company, some companies may actually scale down their security to "detect" only the worst cyberattacks and basically ignore everything else "because we didn't find out".
Re: (Score:2)
They will install an organisational filter one step before the level of "know" that the law describes. If the law says "company", they will outsource the whole thing with strict definitions of what gets reported by the outsourcer and what doesn't. If it says "management" they will write internal communication and escalation rules about what you can report to the government and what must be handled at the levels below. And so on.
It's not like they didn't do similar things before. I teach every CISO whom I co
Re: (Score:2)
Your point is completely valid and I agree fully. That said, this is fairly easily addressable in legislation via "entity within or without the organisation must report..."
Depends on the will of the legislature.
Re: (Score:2)
The two big challenges for this legislation are going to be addressing what time says, but its going to boil down to the following
1) What is a reportable attack?
Is an unsuccessful password spray an attack
What about failed DDOS attempt, a successful one
How about a plain DOS
2) Who specifically is a mandatory reporter?
How are they identified, in terms of job function etc
3) What is the obligation to detect and deter?
If an organization is entirely negligent, are they off the hook for reporting, if they don't kno
Re: (Score:2)
They can start with the US-CERT Federal Incident Notification Guidelines [cisa.gov] and trim them down for the public sector, possibly by business size and/or NAICS code. Businesses smaller than a certain size would be exempt.
Re: (Score:2)
Number one will be a bitch considering technical/IT competence of legislators, and their relative lack of ability to police bureaucrats responsible for writing this legislation. That said, there are some guidelines, such as one linked by another user below to start from.
Number two is actually relatively easy: "whoever is responsible party for relevant security". This sort of legislation has been hammered out to insanely detailed levels in financial world already when it comes to publicly traded companies.
Th
Re: (Score:2)
This sort of legislation has been hammered out to insanely detailed levels in financial world already when it comes to publicly traded companies.
And yet its litigated and tinkered with not all together infrequently. See changes just last year for who is a fiduciary for example.
I think 3) is quite relevant. The reporting obligation can't be discharged. So sure you can't say well I pay 'da da duh' to handle or security. If they failed to report its on them. Its still a big question as to if you have the capability to correlate logs across different endpoints for example. Do you conduct log reviews, how often etc. Those things might be the difference
Re: (Score:2)
I completely agree on point one. People find new loopholes, and those new loopholes keep getting closed. That's one of the primary tasks of legislature in the first place, to keep legislation aligned with intentions of legislators even after people find holes in it.
I may have a bias here that may be strange to you in that I come from a country with a very well functioning legislature. In this regard, if a problem is "bureaucrats writing legislature fix those issues as a part of natural function of legislatu
Re: (Score:2)
Yes, I trust professional propagandists to lie to me, be they you or CNN.
It's why I mock you as a matter of routine, getting you to desperately patrol all my posts on slashdot to post offtopic nonsense like this.
Re: (Score:2)
That said, this is fairly easily addressable in legislation
bwuahaha... *bump*... sorry, that we me falling off the chair.
There are armies of lawyers out there who make a living interpreting laws to the advantage of whoever pays them, bending it just short of the point of breaking, always so that if their client ever ends up in court, the judge will have to go "yeah, as written the law could be read like that..."
Depends on the will of the legislature.
Not in a legal system were people aren't so much trying to understand the law, but to find creative ways to read what they want into it.
Re: (Score:2)
That is what a well functioning judiciary is for. And if you actually consider how well US judiciary functions overall, rather than focus on a small handful of outliers, I think you'll find it to be an exceedingly well functioning one.
Essentially your lawyers can argue until they're blue in the face about their understanding of the law. In the end, it's the judiciary, not the lawyers representing any of the sides that make the decision.
Re: (Score:2)
That is what a well functioning judiciary is for. And if you actually consider how well US judiciary functions overall, rather than focus on a small handful of outliers, I think you'll find it to be an exceedingly well functioning one.
Oh. That's why there's almost no tax evasion and corrupted politicians are jailed left, right and center.
Now, let's talk about the US of this universe...
Essentially your lawyers can argue until they're blue in the face about their understanding of the law. In the end, it's the judiciary, not the lawyers representing any of the sides that make the decision.
I've actually been in courts (professionally). I have literally written arguments that the judge copied verbatim into his written judgement because we managed to convince him. And I'm not even a fully qualified lawyer.
Re: (Score:2)
>Oh. That's why there's almost no tax evasion and corrupted politicians are jailed left, right and center.
This is called "child's perspective". If something bad happens, that means entire system is obviously corrupt, needs to be torn down and replaced by a wonderful utopia. It's a view on the world that tends to shatter on any direct contact with reality.
Hint: the total amount of corruption in Western societies is the lowest it has historically been. Ever. And the trend of improvement is steady.
Now, if y
Re: (Score:2)
This is called "child's perspective". If something bad happens, that means entire system is obviously corrupt, needs to be torn down and replaced by a wonderful utopia.
I said nothing like that. Both tax evasion and corrupt politicians are facts, and more common than they should be. That doesn't mean the whole system bla or torn down blub. It's just realistic to see what's wrong.
Hint: the total amount of corruption in Western societies is the lowest it has historically been. Ever. And the trend of improvement is steady.
I'd like to know your source for that.
Shall we start the gas chambers?
But we're already doing that. This time the gas is CO2 and not something else, so the effect will be slower, but yeah, obviously, humanity is stupid enough to wipe itself out.
Re: (Score:2)
>I said nothing like that. Both tax evasion and corrupt politicians are facts, and more common than they should be.
>more common than they should be.
>at their historic lows, and going down steadily.
Child's perspective.
>But we're already doing that. This time the gas is CO2 and not something else, so the effect will be slower, but yeah, obviously, humanity is stupid enough to wipe itself out.
Fun part: climate scientists are now crystal clear that there are no predictions of "humanity wiping itself
Re: (Score:2)
Again, you make a claim and I asked for your source. You evaded that question, so I will assume you don't have a source and just made that up on the fly.
Meanwhile, this source [worldpopul...review.com]: gives a higher corruption score to most western countries than it gives to most african countries.
Another source [foreignpolicy.com] states the opposite of what you claim, namely "Corruption in U.S. at Worst Levels in Almost a Decade".
Another one [tradingeconomics.com] tracks since 1995 and it shows ups and downs. You could look at the past 3 years and claim an all-time low,
Re: (Score:2)
Do you know how I know you to be an idiot?
You cite blogs and neoconservative think tanks against observable reality, and conclude that observable reality is wrong. Even a cursory observation of history will tell you otherwise. Let me give you a very much "in your face" example of just how much better we're going in terms of corruption than the past.
Do you know what "nepotism" actually means? It's sourced from italian for "nephew". Today, we recognise it as a form of corruption where any relative is favoured
Re: (Score:2)
The singular of "data" is not "anecdote". And if you seriously think that family and other connections don't work anymore, then you should talk to the me from 2001, not from 2021, that one might believe you.
But we can close this here. I gave some sources, you complain about them but again don't back up your claims with anything more than your own words, so there's nothing substantial left to discuss. byebye.
Re: (Score:2)
I gave you a source as well, that is a story with multiple highly credible sources. You chose to ignore them, just as you chose to ignore observable reality of today, where planet is greenest it ever was, life for a median human is better than it ever was, deserts are rapidly greening, global food production is at all time high, and even the island nations in the Pacific that were supposed to be sitting mostly under water... aren't.
And yet, people like you are willing to sacrifice everything and everyone be
Re: (Score:2)
Re: (Score:2)
DDoS (Score:4, Insightful)
Attackers can launch underwhelming cyberattacks for the sole purpose of creating unbearable overhead for their targets and the regulatory agencies.
Re: (Score:2)
Thank you. I was about to say that.
Regulation works in non-adversial space. When you are in adversial space, you need to consider what the attackers can potentially do with whatever it is you are putting in place. Everyone who makes any rules in cybersecurity needs to know about firewalking, anti-forensics, etc.
Re: (Score:1)
We need to require licenses for these companies (Score:5, Insightful)
To work in a nail salon in Georgia (USA) requires a license. To get that license requires 525 hours of coursework at a state approved school and pass an exam.
That, plus 15 hours continuing education credit every two years to get renewed
Among the courses are:
i. Skin Diseases and Disorders
ii. Nail Structure and Growth
iii. Nail Product and Chemistry
iv. General Anatomy and Physiology
I want everyone at the C-level of any company that maintains customer records or operates infrastructure (hospitals, banks, credit bureaus, utilities, etc ) to have as much education in computer security as nail salon technicians. 500+ hours, pass an exam, and re-licensed every year or two.
Then we can start putting their butts on the line.
Re: (Score:2)
I want it to the case where any C-level in a firm that pays a ransom to be disbarred from a senior executive position for 10 years.
Further anyone involved with paying said ransom should get a 12 months jail sentence with a minimum of six months actually locked up.
Being aware of a ransom being paid and not informing the authorities 6 month jail sentence with a minimum of three months actually locked up.
Finally any country that refuses to extradite someone for being involved in ransomware gets cut off from th
Re: (Score:2)
I want it to the case where any C-level in a firm that pays a ransom to be disbarred from a senior executive position for 10 years. Further anyone involved with paying said ransom should get a 12 months jail sentence with a minimum of six months actually locked up.Being aware of a ransom being paid and not informing the authorities 6 month jail sentence with a minimum of three months actually locked up.
I am going say, hard no on that. One should be free to expend their personal wealth or an organizations of which they are an officers wealth anyway they see fit. However paying a ransom creates an externality that in that it encourages more hostage taking. The correct thing to do is enact a TAX on ransoms, the proceeds should go directly to funding law enforcement efforts against hostage takers. The tax should probably be pretty high like 100%
Finally any country that refuses to extradite someone for being involved in ransomware gets cut off from the US financial services. Ideally the G7 members and EU would sign up to this as well. Once profiting from ransomware is difficult to impossible then and only then will it stop.
This part I can agree with, I would also suggest the ban on CIA
Re: (Score:3, Funny)
Now do the requirements for being President.
Re: We need to require licenses for these companie (Score:2)
Re: (Score:3)
You need to be 35 or older and have resided in the US for at least 14 years.
Re: (Score:2)
Needs more funny.
Re: (Score:2)
Don't be too proud of this technological terror you've constructed. The ability to destroy a planet is insignificant next to the power of The Force.
In other words, all you're going to do is create more roadblocks and hoops to jump through for small businesses and the big companies will simply pass the costs on to you and it sure as hell won't solve the problem. The correct solution is making the threat of punishment for cybercrime so scary that nobody will want to do it. This is of course assuming that s
Two reasons why you can't do that (Score:2)
Second, C-Level employees are in charge of everything. They make the rules, and they're not going to go for what you're suggesting.
The credit card industry had these problems and fixed them after the threat of serious regulation. That's what's needed here. It's not about expertise, it's about regulation. You have to force people to act in the best interests of society or they won't do it. Beca
Re: (Score:2)
You have to force people to act in the best interests of society or they won't do it.
This. All the way this.
very seldom that the best interests of society are the most profitable for an individual company
Not necessarily. In his book "How Asia Works", Joe Studwell makes a strong case that people smart enough to make a profit will do according to society's constraints. He presents his case study and analysis of South Korea's rise to economic power under Park Chung-hee's dictatorship.
The generalissimo forced companies to seek out the development of intellectual know-how and to then export those products and services (as opposed to what most other developing nations do, which is to be c
Re: (Score:2)
And who determines what is in the interest of society?
Its a serious question because I keep reading how we have all these entities that don't act with society in mind yet its not like the US is the product of some recent resolution. Were 250 years of elected law makers into this now. Even slicing through the US Code with a chain saw is difficult, all of that is ostensibly there to "make people behave in the interests of society" and yet here you are still writing.
Be honest what you really mean when you make
They do!! (Score:2)
I'm 100% positive all C-Suite employees "have as much education in computer security as nail salon technicians."
In reality, 500 hours in computer security sounds good, but shouldn't they also have education in accounting, HR, safety, and other disciplines? All those are important.
Also, I can start a food truck and incorporate for a few hundred dollars. Should I have to go through 500+ hours of computer security training as a one man corporation?
Like that is going to happen (Score:2)
It's about time. (Score:2)
Punish the victims? (Score:3, Insightful)
Your corporation has been attacked by a ransomware gang. They have locked up all of your records and accounts and are in a position to bankrupt you and destroy your company. They say they will destroy all the records immediately if you report the attack to the authorities. But you have another problem. Senator Bumble has gotten a new law passed that will punish you if you don't report the attack to the authorities. This is exactly like a law requiring you to report the kidnapping of your child to the authorities even though the kidnapper says he will kill the child if you do this. Companies will not comply with any law like this and I understand why.
An operation w/o backups is like a bank w/o locks (Score:2)
Your corporation has been attacked by a ransomware gang. They have locked up all of your records and accounts and are in a position to bankrupt you and destroy your company. They say they will destroy all the records immediately if you report the attack to the authorities. But you have another problem. Senator Bumble has gotten a new law passed that will punish you if you don't report the attack to the authorities. This is exactly like a law requiring you to report the kidnapping of your child to the authorities even though the kidnapper says he will kill the child if you do this. Companies will not comply with any law like this and I understand why.
A site without backups is like a bank without security cameras and locks. Unless your attackers found a genius way to lock up your data AND your backups, I really don't have a ton of sympathy. I was ensuring public websites had daily backups to protect them from tampering or hardware failure in the mid 90s. Many professionals had been doing it long before I. It's really not very hard. Boring?...sure...cheap?...not especially, but "in my day" it was considered absolutely necessary. Maybe now with every
Re: (Score:2)
Your corporation has been attacked by a ransomware gang. They have locked up all of your records and accounts and are in a position to bankrupt you and destroy your company. They say they will destroy all the records immediately if you report the attack to the authorities. But you have another problem. Senator Bumble has gotten a new law passed that will punish you if you don't report the attack to the authorities. This is exactly like a law requiring you to report the kidnapping of your child to the authorities even though the kidnapper says he will kill the child if you do this. Companies will not comply with any law like this and I understand why.
A site without backups is like a bank without security cameras and locks. Unless your attackers found a genius way to lock up your data AND your backups, I really don't have a ton of sympathy.
To be certain, an exploit can get into your backups.
But you are correct, All these places need to start taking cybersecurity seriously, and step 1 is to stop thinking of it as a cost center group. That is if they think of it at all. And your analogy of the lack of computer security is the equivalent of having no physical security is spot on. Because either is an open invitation to the bad guys.
Re: (Score:2)
Backups don't prevent your trade secrets or sensitive employee records from being disclosed.
Backups even with tested, practiced recovery systems don't always mean the cost of executing a recovery organization wide is less this what the ransomers will ask
Backups are not magic!
Its not the 90s anymore - so yes business should by now have a solid backup recovery system in place
Its also not 2010 anymore - the ransomware gangs have moved on to bigger and nastier things just running AES over every writable file.
Re: (Score:1)
Of course GOP doesn't want it... (Score:3)
I think this law is a good idea, but it's going to be QUITE rough for the conservative bubble sites until they get their act together. Personally, I am neutral on Gab and Parler...as long as they're not conspiring to break the law, I don't care what people do in their echo chambers...it sounds better for them to have an understanding audience and better for the rest of us who don't want to hear rants from either side. Given their high profile breaches, I wonder how many they were able to cover up? How many breaches happen at Facebook and Twitter, in contrast?
Re: (Score:2)
I suppose Parler just finds engineers who feel Twitter's ban on violence and hate speech is too constricting on their world views.
Their computer security team is likely a family member who "knows all about this computer shit". Which means they were related, and knew how to log into Facebook.
Given their high profile breaches, I wonder how many they were able to cover up? How many breaches happen at Facebook and Twitter, in contrast?
I have to be on Facebook as part of the work I'm doing at present. But of course, family and friends find you. The biggest thing on Facebook is the idiots who take the little "Tests" like "What was the name of your first pet?" or " Where were you born?" I honest to god shit you not, these idiots answer the freaking questions online, which are the
Re: (Score:2)
The biggest thing on Facebook is the idiots who take the little "Tests" like "What was the name of your first pet?" or " Where were you born?" I honest to god shit you not, these idiots answer the freaking questions online, which are the same damn answers to password recovery questions.
It's not just that they reveal their likely password recovery answers - it's also that they self-select as people gullable enough to fall for phishing mails and various types of scams.
Re: (Score:2)
The biggest thing on Facebook is the idiots who take the little "Tests" like "What was the name of your first pet?" or " Where were you born?" I honest to god shit you not, these idiots answer the freaking questions online, which are the same damn answers to password recovery questions.
It's not just that they reveal their likely password recovery answers - it's also that they self-select as people gullable enough to fall for phishing mails and various types of scams.
And boy do they fall for them. One of the clues that someone ended up compromising themselves is when you get another friend request from the same person. Except it isn't the same person.
Many of the same people end up falling for facebook's accidental radicalization algorithms as well. with every like, you get increasingly radical "suggestions" I've seen a few friends, left and right, go down that road.
Except... (Score:2)
Really, what you wrote is essentially an anti-Conservative rant from the Left, despite your claims of neutrality or of being someone uninterested in "rants from either side". Your premises are ridiculous and your assumptions are insulting.
Re: (Score:2)
What makes you think this is a GOP issue?
The law makes it a crime to be a VICTIM of a crime, if you choose not to tell anyone. In some types of crimes, the public knowledge that the crime took place, is worse than the crime itself. So why do we want to add insult to injury?
I'm no fan of the GOP, but I have no idea what it has to do with conservative politics.
Your question is answered in TFA (Score:2)
What makes you think this is a GOP issue?
The law makes it a crime to be a VICTIM of a crime, if you choose not to tell anyone. In some types of crimes, the public knowledge that the crime took place, is worse than the crime itself. So why do we want to add insult to injury?
I'm no fan of the GOP, but I have no idea what it has to do with conservative politics.
The answer is in the TFA
Even leading Republicans are expressing support for regulations after this week's chaos — a sharp change from past high-profile efforts that failed due to GOP opposition.
It's a GOP issue because they've opposed it in the past. I will give them the benefit of the doubt and assume it has nothing to do with Gab and Parler, but more to do with their history of enabling businesses to run themselves terribly so long as they donate enough to GOP candidates.
To answer your other question, why add insult to injury? Because if they get by with it, the organization will just do it again. They're not politically motivated hackers. They just want money. T
Re: (Score:2)
Let's say you're right that corporations are EVIL. How does that make committing crimes against them OK? Let me explain.
You have a neighbor who never remembers to lock their doors. A thief burglarizes their house. They still don't lock their doors. Another thief comes. Your neighbor is careless, and you'd have a hard time feeling very sorry for them, but you still don't punish them further under the law! They have already suffered for their carelessness, but we recognize that the thief is the criminal, not
Re: (Score:2)
Let's say you're right that corporations are EVIL. How does that make committing crimes against them OK? Let me explain.
That was never stated. Committing a crime is committing a crime. No one is advocating crime is OK. The only thing advocated is that you must report the information to the authorities so they can thwart the next crime. We already have laws that require teachers, police officers, and medical professionals to report child abuse. I think it is reasonable to say "If you're part of a trusted profession, you have a duty to report crimes." We're trusting them with data. If they are attacked, they need to rep
Re: (Score:2)
That was never stated
From your own words:
The thing about publicly traded corporations is they're evil sociopaths by design
We already have laws that require teachers, police officers, and medical professionals to report child abuse
Yes we do, and these laws have had serious unintended consequences.
https://www.nbcnews.com/news/u... [nbcnews.com]
Despite all the talk about a right to privacy, we as a people are quite willing to give our privacy away, for a really small price. Most do not consider their data privacy worth paying even a small amount. https://datainnovation.org/201... [datainnovation.org]
Yet you insist that companies should be forced to risk their own survival to protect the privacy that no one actually values. The only thing that privac
If attackers are just seeking data not ransom... (Score:2)
...it's often not obvious a breach has taken place. And effective information thefts don't leave traces.
So how can you liable for reporting something you're not sure happened?
defining the undefined (Score:2)
Great! Finally the government will spend the time and energy, research and expertise to come up with a global, functional, well-thought-out definition of the term "cyber security incident".
Because, you know, most of the banks, insurances, infrastructure companies and others that I help with their security don't have that. They define an "incident" as whatever the person who wrote the incident response process thought would be a good fit at that time, usually with no research or reference to anyone else.
Some
A little perverse (Score:2)
Maybe if it is limited to already heavily regulated industries like finance and critical infrastructure? Maybe a way to keep it all confidential until they put someone on trial? Seems like a pretty tricky situation with many opportunities for it to backfire.
Every Fortune 1000 company every day (Score:2)
I'd bet my house that every Fortune 1000 company experiences a "cyber attack" every day. Every website is scanned for weakness. At least one computer in all those companies has AV fire off an alert. Many users and likely every CEO, CFO, and CIO get daily spam trying to get them to click on a link to compromise their computers. All those are attacks of some kind. Where would companies draw the line?
Successful cyber attacks you say? So, anytime any company gets a PC infected with malware, they should call the
Re: (Score:2)
"Successful is defined as a leak of data from specific categories."
So encrypting or wiping every hard drive in the company isn't a leak and therefore isn't consider a "successful" attack?
No mention of MICROS~1 (Score:1)
Cure worse than the disease (Score:2)
Sometimes, the worst part of a crime is that people find out it happened. This is especially true for "minor" crimes. In some cases, the fact that the crime occurred is more embarrassing than anything.
So let's add insult to injury and punish the victims!
*Every* attack (Score:2)
Back in the day, when Comcast was giving public IP addresses, my firewall logs were full of SSH and RDP attacks (to a Linux machine, people don't even check). fail2ban, and things were okay, but if the law requires every attack, that means, they will just receive a massive DDOS in the form of firewall logs from all companies.
Btw, long ago when I was in charge of our department computers, we would actually report the attacks to the IP owners, and received feedback from them. Today it is 99.99% chance a botne
Re: (Score:1)
Re: (Score:2)
Re: (Score:2)
Some states like Tennessee make everyone in the state a mandated reporter for child sexual abuse.
Re: (Score:2)
Tax laws require you to tell the government your income.
Banks are required to report when a customer deposits > $5000.
Re: (Score:2)
Banks are required to report when a customer deposits > $5000.
I'm pretty sure that is $10k, and it only applies to cash transactions (with some exceptions). But otherwise your point is still valid.
Re: (Score:2)
No it does not only apply to cash transactions and no it is not specifically $10k.
It does apply to only cash transactions, but the definition of cash transaction is not exactly the same as most people would intuitively think. The statutes do define what they mean by cash transactions, which includes these other types of transactions (which is why I said "with some exceptions" in my post).
many people think they can just make a series of 9.9k transactions and it won't be reported, and they would be dead wrong. basically any series of unusual or out of the ordinary amounts for an individual (especially if coming from unknown sources) would trigger the need for them to report.
It is true that structuring is another activity which requires reporting, including many other activities. But the original post only mentioned single customer deposits over $5000, which there are no US
Re: (Score:2)
Then can even make people report to jury duty.