Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
United States Government Security

Senate To Probe Whether Legislation Needed To Combat Cyber Attacks (reuters.com) 54

U.S. Senate Majority Leader Chuck Schumer on Thursday said he is initiating a review of recent high-profile cyber attacks on governments and businesses to find out whether a legislative response is needed. From a report: "Today I am asking Chairman Gary Peters of our Homeland Security Committee and our other relevant committee chairs to begin a government-wide review of these attacks and determine what legislation may be needed to counter the threat of cyber crime and bring the fight to the cyber criminals." Schumer noted that the New York City subway system was the victim of a computer hack in early June. This came on the heels of Colonial Pipeline having to shut down some operations, resulting in disrupted fuel supplies in the U.S. Southeast, as a result of a cyber attack.
This discussion has been archived. No new comments can be posted.

Senate To Probe Whether Legislation Needed To Combat Cyber Attacks

Comments Filter:
  • The fact that they need to ask really goes to show how out of touch they are. 10,000x times yes! DO SOMETHING. I want black helicopters and enhanced interrogation. Ruin these people.

    • by Anonymous Coward

      The fact that they need to ask really goes to show how out of touch they are. 10,000x times yes! DO SOMETHING. I want black helicopters and enhanced interrogation. Ruin these people.

      Ruin them how? What if they are outside of the U.S.? Then what?

      The common sense solution:
      (1) Make it illegal to make payments to a criminal organization (e.g. Paying "Ransom"). and enforce the law.
      (1a) It might already be illegal. If it is, enforce the law.
      (2) Very large fines for any business operating critical infrastructure who fails to properly secure their network. 99% of all "ransomware" is only able to exist because of sloppy lax security.
      (3) Fines have little or no effect on big companies with

      • Re: (Score:2, Insightful)

        by Anonymous Coward

        Here is what they will really do:

        1: Make discussing hacking, having physical lockpicks, and debugging tools a crime, a la the DMCA.

        2: Make jailbreaking and repairing devices a Federal crime.

        3: Make talk about hacking a Federal offense, similar to the original CDA law which got struck down before it even would go into effect.

        4: Require all Internet connected PCs to run an anti-virus like utility, but would scan for pirated music, movies, software, and check websites visited, and anything detected, would

      • Ruin them how? What if they are outside of the U.S.? Then what?

        That's literally why we have a military. Economic warfare is still warfare, and cyber attacks target infrastructure in nearly every case (targeting the economy is targeting the supply chain of the nation, the military, and citizens.) So much as sending spam should result in a drone strike, not even joking.

    • OMG Yes, next we should make rape, robbery and murder illegal. Just think of the possiblities.
      • by lsllll ( 830002 )
        There are already laws that make rape illegal. Now if you want to pass a law making rape illegal in a specific location, like my basement, go at it.
    • by lsllll ( 830002 )
      Are you fucking retarded? There are already laws on the book that would put these people away for decades if they happen to be caught. We don't need more laws. There are better ways to waste our taxpayer dollars.
  • Schumer (Score:5, Funny)

    by bws111 ( 1216812 ) on Thursday June 10, 2021 @03:15PM (#61474696)

    Considering it is Schumer, he brilliant idea is probably to ban assault computers. That'll fix it.

    • "I'm from the government, and I'm here to help."
    • Maybe in the future enemy computers will be blowing up like star trek consoles.

    • The computer is black and has scary looking alien heads and flashing lights coming from the chassis. It includes a high grade BitCoin farming apparatus that is being improperly used to draw 3d graphics. You don't need all that for just writing in Word. That user is obviously up to something nefarious.

  • by OrangeTide ( 124937 ) on Thursday June 10, 2021 @03:43PM (#61474762) Homepage Journal

    Except those dinguses can't even agree on what to do about physical attacks on their own building...

    I imagine for cyber attacks one party will craft a bill that just hurls insults at China but does nothing about the actual problem, and the other party will wring their hands hoping to reach across the aisle and get bipartisan support for the meaningless legislation.

  • Today I am asking Chairman Gary Peters of our Homeland Security Committee and our other relevant committee chairs to begin a government-wide review of these attacks and determine what legislation may be needed to counter the threat of cyber crime and bring the fight to the cyber criminals.

    Well one could always try the same tactics that worked in the drug war.

    • Well one could always try the same tactics that worked in the drug war.

      "Stop! No! Don't click that link!" PSA's on after-school television. That should fix it! We can do this. The government will fund it for sure.

  • by CrimsonAvenger ( 580665 ) on Thursday June 10, 2021 @03:47PM (#61474768)

    Somehow, I'd always had the impression that "crimes" implied "illegal". Of course, they could be trying to make it MORE illegal.

    Which begs the question "if you couldn't catch them when it was only somewhat illegal, what makes you think making it more illegal will do anything at all?

    • Somehow, I'd always had the impression that "crimes" implied "illegal".

      Chuck isn't talking about making the attacks illegal (they already are) but about criminalizing the negligence that allows the attacks to happen.

      That is still stupid, but for different reasons.

      Which begs the question ...

      No, it raises the question: "Begs the question" [wikipedia.org] means something completely different.

      • Chuck isn't talking about making the attacks illegal (they already are) but about criminalizing the negligence that allows the attacks to happen.

        That makes more sense, but unfortunately TFA is incredibly light on details.

        That is still stupid, but for different reasons.

        Why is that? I wouldn't mind if companies that provide essential infrastructure are forced to take IT security more seriously, because they're not going to unless they're pressured.

        • Why is that?

          Many Americans naively believe that any problem can be solved if we just throw enough people in prison. There is little evidence of that.

          Criminalizing mistakes pushes good people away from critical positions. Pay will go up to compensate for the risk, attracting unprincipled mercenaries who are good at lying, ass-covering, and shifting blame.

          No one who has experience with the American criminal justice system believes that it is fair and efficient at uncovering the truth and incentivizing good behavior.

          Man

          • Criminalizing is not the only legislative approach that can be taken. There is regulation for payment processing (imposed by credit card companies) and for dealing with medical records (imposed by the government); something similar could be done for critical infrastructure. For example, make companies undergo regular security audits and document how they addressed the issues uncovered in those audits.

    • by ljw1004 ( 764174 )

      "if you couldn't catch them when it was only somewhat illegal, what makes you think making it more illegal will do anything at all?

      There's an easy answer to that.
      1. there's an action that we as society don't want
      2. that action involves two sub-actions X and Y, both of which usually happen as part action, and neither of which often happen other than as part of that action
      3. we already have laws on the books to make X illegal
      4. it's either hard to detect X, or hard to gather evidence for X, or hard to make an unassailable case that X happened
      5. it's easier to detect Y, or to gather evidence for Y, or to make an unassailable case that Y h

  • What would end intrusions almost immediately? Enacting law assigning financial liability to executives of those corporations and government agencies that are victims of attacks.

    Victimhood is a choice made by executives. Those expensive ransom payments which the customers, stock holders and tax payers were forced to fund were the consequence of executive decisions against good security practices such as keeping up with software security updates, intrusion detection, backups, security audits, and having an

    • What would end intrusions almost immediately? Enacting law assigning financial liability to executives of those corporations and government agencies that are victims of attacks.

      Why just there? Make the coders who fail to develop secure systems and leave in vulnerabilities liable as well and also employees who fail to follow security rules.

      After all, you can't fix what you don't know exists and rules and procedures are only as good as those implementing them.

    • by Areyoukiddingme ( 1289470 ) on Thursday June 10, 2021 @04:22PM (#61474838)

      Victimhood is a choice made by executives. Those expensive ransom payments which the customers, stock holders and tax payers were forced to fund were the consequence of executive decisions against good security practices such as keeping up with software security updates, intrusion detection, backups, security audits, and having an emergency recovery plan in place.

      True as far as it goes. Unfortunately you can't legislate competence.

      Government's usual (successful) response to this sort of thing is to authorize the executive branch to come up with security standards and then demand that government contractors follow them. Things like FIPS exist because of such efforts, and FIPS in particular is reasonably successful. Unfortunately there is no way to create a standard called "Secure Your Networks" and have it be anything useful.

      Banning payment of ransoms would probably help, especially if one of the inordinately large number of federal law enforcement agencies was instructed to make specific efforts to enforce the ban, including finding secret payments. That's how you get executives' attention legally and appropriately, rather than trying to get the Supreme Court to uphold piercing the corporate veil, which the Trump Supreme Court definitely won't go for. Make paying a ransom a felony with no jail time ('cause non-violent offense) and a nice fat fine and see how fast the hacking industry dries up.

    • by mysidia ( 191772 )

      What would end intrusions almost immediately? Enacting law assigning financial liability to executives
      It would not end intrusions -- it would just make it impossible for companies to hire and retain executives without putting Waiver and indemnification contracts in place requiring the Companies to Insure their executives against and protect their executives from that liability, and it's not a kind of law that could be passed, anyways.

      were the consequence of executive decisions against good security practic

  • by LostMyBeaver ( 1226054 ) on Thursday June 10, 2021 @04:19PM (#61474830)
    7 years ago, I was called in to audit/review tenders from the major vendors for replacing the clusters in 6 data centers for a 3-letter organization within the US government (9-digit budget USD). I was asked to come in blind, and while I lacked the clearances to look at what was on these systems myself, I was able to request redacted reports once I got there. I had worked with this organization several times in the past and had earned a reputation for being brutally honest and biting the hand that feeds me if I felt it was the morally right thing to do.

    me: "What is the reason for this upgrade"
    them: "We're at 98% capacity and are popping in RAM and disks to hold us over at this point"
    me: "Show me what they're running"
    them: 'H--e's o-r red-ct-d -epor-"
    me: "This is there because someone said your DC isn't running properly, so they sold you a 'fix all'"
    "This is here to backup the fixall"
    "This is here to monitor the fixall"
    "This is here to monitor the backup to the fix all"
    "The is here to provide faster storage for the systems which are monitoring the fix all and backing them up"
    "This is here to migrate the VMs of the fixall and all it's collateral systems since they weren't setup as redundant"
    "This is here to run a second copy of the fixall to fix the fixall in case the first fixall fails"
    "This i here to backup the..."
    "Oh look, there's an actual application used by your agency for actual agency business... wait... that's the old one. Where's the new one?"
    Them: "We put that into one of the cloud providers as it wasn't high security"
    Me: "Ok... let's continue"
    "Here's another fixall"
    "Here's all the shit to run the fixall"
    "Oh, here's an exchange server"

    When I was done, I found out that 97% of the current used capacity was for systems on systems on systems which ran systems... which did IT things... but didn't actually do anything the agency needed. This IS NOT an exaggeration. This is not a made up figure. There is a possibility for a margin of error, I'd be willing to say that maybe, best case, it was 92%.

    What I do know is that almost every system was installed by a sub-sub-contractor because every 18 months, the agency legally has to circulate a tender to allow contractors to battle over who will run the system for the next 18 months. In most cases, the sub-subs will just be taken over by whoever wins the bid. In a lot of cases, the contactors go into overtime, are no longer able to pay the sub-subs during the negotiation phase, so the sub-subs move onto the next contract. So, the people who worked on all the systems for the last 18 months leave with tons of half finished shit in production.

    So, I explained to the people working at this agency... the people wearing the fancy suits, not the cheap ones... they should invest $1-$5 million in removing the useless crap running on their data centers and free up 90%+ capacity and tell the vendors to screw off.

    They did...

    And two weeks later started a new tender for the same upgrade but for a different reason... because it's that or negotiate a new service agreement for the old stuff.

    In my personal opinion, the reason why these systems get hacked is because the government has rules in place to keep adding to the problems and replacing perfectly good systems with "even better" systems and none of them ever get properly installed or up and running.

    It's like "This isn't working, should I pay someone to sit down, figure out what the problem is and then orchestrate getting it done properly?" .... "I wouldn't know how to hire that person, whether to trust them, whether they know what they're doing, etc... I'll just call some consultants, let them rape me and hope that I can keep the doors open and lights on a little longer"
  • Many if not most infrastructure attacks are state-sponsored. Its funny how these clueless Dems think a new US law will suddenly make the Chinese, Russian and N.Korean hackers working in their respective government's equivalents of the NSA cease and desist. Any person with more than half a brain can clearly see that of course it won't.

    This also just shows how enacting laws is apparently all politicians are able to conceptualize no matter how clueless that action actually is to finding an effective solution.

  • Follow the money? (Score:4, Insightful)

    by Zarquon ( 1778 ) on Thursday June 10, 2021 @04:41PM (#61474882)

    Make any payments to the extortionists illegal and hold executives personally responsible if their company or contractors do so. Remove the profit motive.

    • >"Make any payments to the extortionists illegal and hold executives personally responsible if their company or contractors do so. Remove the profit motive."

      ^^^ This

      No amount of endless drivel "standards" pushed on the IT industry is going to help. All it will do is cost everyone tons of money. This doesn't mean I am saying security isn't important. IT IS. But there are zillions of necessary ways to set up zillions of systems for zillions of different purposes.

  • > Senate To Probe Whether Legislation Needed To Combat Cyber Attacks

    No, what's needed is to ban Microsoft Windows running on Intel hardware, from the Internet.
  • Let the idiots decided Information Technology & cyber defense strategies / policy. Not like Hackers or I.T. Professionals should have ANY say what-so-ever. Security is constantly evolving, as are cyber threats and attacks. You can't just make it illegal, because a company has a security issue. So you want to make it illegal for critical infrastructure to no be secure? First of all, NOTHING is secure. Second of all, what is secure? How do you check if something is entirely secure? What about unkno
  • 1. Make it completely illegal, with LONG Jail time, for Government Agencies, covert and not, to Weaponise flaws instead of advising vendors.
    2. Make it mandatory for vendors to fix those flaws within 30 days.
    3. Make backdoors in encryption illegal.
    4. Make backdoors in software illegal.
    5. Make retention of data beyond the lifespan of a transaction illegal without a warrant for all parties BUT the consumer.
    6. Make all cloud stored data encrypted with zero knowledge to anyone but the consumer.

    Sure, this sort of

  • Make it illegal to incur a ransomware attach due to poor security practices with a fine of 3 times the ransomware ask. Now there's a financial incentive to protect your network.

    • by mysidia ( 191772 )

      Make it illegal to incur a ransomware attach due to poor security practices with a fine of 3 times the ransomware ask.

      It sounds like something those evil ransomware authors would use to create additional leverage - by setting a ransom where they just repeatedly increase their ask and threaten to turn their victim in for receiving the demands.

      Cue up the emails: "Dear sir or madam. You've been hacked. Send $100 plus the wait fee of $100 for every hour to avoid your information leaked. until you send, as desc

  • that enforcing laws on people (hackers) that are in other countries might be a little difficult, but I guess the senate doesn't think so.

    • by gweihir ( 88907 )

      This needs to be about enforcing laws on the _defenders_. They have created far too many badly locked or unlocked barn doors and that if what drives this type of crime in the first place. Getting into a well-defended network is expensive and invalidates the criminal business model behind the current problems.

      • I don't know if that is possible on open networks there will always be holes

        • by gweihir ( 88907 )

          I don't know if that is possible on open networks there will always be holes

          I do not know either, but my intuition from doing IT Security for 30 years now is that you can make it hard enough to make it unattractive and hence make getting hacked a rare event. At the moment it is going towards something that happens far too often, because hacking many, many companies is _easy_.

  • And do it with personal criminal liability for the decision makers, i.e. prison time. That would cut 99% of the problem right there and within a short time. Could even be small change, because funding criminal enterprises is already a crime itself.

  • by MysteriousPreacher ( 702266 ) on Friday June 11, 2021 @04:16AM (#61476114) Journal

    The review found that these crimes will be best addressed by requiring back doors into all encryption, further regulating crypto currency, and extending copyright terms for Disney.

"Being against torture ought to be sort of a multipartisan thing." -- Karl Lehenbauer, as amended by Jeff Daiell, a Libertarian

Working...