Senate To Probe Whether Legislation Needed To Combat Cyber Attacks (reuters.com) 54
U.S. Senate Majority Leader Chuck Schumer on Thursday said he is initiating a review of recent high-profile cyber attacks on governments and businesses to find out whether a legislative response is needed. From a report: "Today I am asking Chairman Gary Peters of our Homeland Security Committee and our other relevant committee chairs to begin a government-wide review of these attacks and determine what legislation may be needed to counter the threat of cyber crime and bring the fight to the cyber criminals." Schumer noted that the New York City subway system was the victim of a computer hack in early June. This came on the heels of Colonial Pipeline having to shut down some operations, resulting in disrupted fuel supplies in the U.S. Southeast, as a result of a cyber attack.
Re: (Score:1)
Nah. Margaret Thatcher and Janet Reno.
Re: (Score:3)
Nah. Margaret Thatcher and Janet Reno.
You are a sick man. ;)
Why do they even need to ask? (Score:1)
The fact that they need to ask really goes to show how out of touch they are. 10,000x times yes! DO SOMETHING. I want black helicopters and enhanced interrogation. Ruin these people.
Re: (Score:1)
The fact that they need to ask really goes to show how out of touch they are. 10,000x times yes! DO SOMETHING. I want black helicopters and enhanced interrogation. Ruin these people.
Ruin them how? What if they are outside of the U.S.? Then what?
The common sense solution:
(1) Make it illegal to make payments to a criminal organization (e.g. Paying "Ransom"). and enforce the law.
(1a) It might already be illegal. If it is, enforce the law.
(2) Very large fines for any business operating critical infrastructure who fails to properly secure their network. 99% of all "ransomware" is only able to exist because of sloppy lax security.
(3) Fines have little or no effect on big companies with
Re: (Score:2, Insightful)
Here is what they will really do:
1: Make discussing hacking, having physical lockpicks, and debugging tools a crime, a la the DMCA.
2: Make jailbreaking and repairing devices a Federal crime.
3: Make talk about hacking a Federal offense, similar to the original CDA law which got struck down before it even would go into effect.
4: Require all Internet connected PCs to run an anti-virus like utility, but would scan for pirated music, movies, software, and check websites visited, and anything detected, would
Re: (Score:2)
Ruin them how? What if they are outside of the U.S.? Then what?
That's literally why we have a military. Economic warfare is still warfare, and cyber attacks target infrastructure in nearly every case (targeting the economy is targeting the supply chain of the nation, the military, and citizens.) So much as sending spam should result in a drone strike, not even joking.
Re: (Score:1)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Schumer (Score:5, Funny)
Considering it is Schumer, he brilliant idea is probably to ban assault computers. That'll fix it.
Re: (Score:2)
Re: (Score:2)
Maybe in the future enemy computers will be blowing up like star trek consoles.
Re: (Score:2)
The computer is black and has scary looking alien heads and flashing lights coming from the chassis. It includes a high grade BitCoin farming apparatus that is being improperly used to draw 3d graphics. You don't need all that for just writing in Word. That user is obviously up to something nefarious.
sounds good (Score:3)
Except those dinguses can't even agree on what to do about physical attacks on their own building...
I imagine for cyber attacks one party will craft a bill that just hurls insults at China but does nothing about the actual problem, and the other party will wring their hands hoping to reach across the aisle and get bipartisan support for the meaningless legislation.
D.A.R.E. (Score:2)
Today I am asking Chairman Gary Peters of our Homeland Security Committee and our other relevant committee chairs to begin a government-wide review of these attacks and determine what legislation may be needed to counter the threat of cyber crime and bring the fight to the cyber criminals.
Well one could always try the same tactics that worked in the drug war.
Re: (Score:2)
Well one could always try the same tactics that worked in the drug war.
"Stop! No! Don't click that link!" PSA's on after-school television. That should fix it! We can do this. The government will fund it for sure.
So, they want to make cybercrimes illegal? (Score:5, Insightful)
Somehow, I'd always had the impression that "crimes" implied "illegal". Of course, they could be trying to make it MORE illegal.
Which begs the question "if you couldn't catch them when it was only somewhat illegal, what makes you think making it more illegal will do anything at all?
Re: (Score:2)
Somehow, I'd always had the impression that "crimes" implied "illegal".
Chuck isn't talking about making the attacks illegal (they already are) but about criminalizing the negligence that allows the attacks to happen.
That is still stupid, but for different reasons.
Which begs the question ...
No, it raises the question: "Begs the question" [wikipedia.org] means something completely different.
Re: (Score:2)
Chuck isn't talking about making the attacks illegal (they already are) but about criminalizing the negligence that allows the attacks to happen.
That makes more sense, but unfortunately TFA is incredibly light on details.
That is still stupid, but for different reasons.
Why is that? I wouldn't mind if companies that provide essential infrastructure are forced to take IT security more seriously, because they're not going to unless they're pressured.
Re: (Score:2)
Why is that?
Many Americans naively believe that any problem can be solved if we just throw enough people in prison. There is little evidence of that.
Criminalizing mistakes pushes good people away from critical positions. Pay will go up to compensate for the risk, attracting unprincipled mercenaries who are good at lying, ass-covering, and shifting blame.
No one who has experience with the American criminal justice system believes that it is fair and efficient at uncovering the truth and incentivizing good behavior.
Man
Re: (Score:2)
Criminalizing is not the only legislative approach that can be taken. There is regulation for payment processing (imposed by credit card companies) and for dealing with medical records (imposed by the government); something similar could be done for critical infrastructure. For example, make companies undergo regular security audits and document how they addressed the issues uncovered in those audits.
Re: (Score:2)
"if you couldn't catch them when it was only somewhat illegal, what makes you think making it more illegal will do anything at all?
There's an easy answer to that.
1. there's an action that we as society don't want
2. that action involves two sub-actions X and Y, both of which usually happen as part action, and neither of which often happen other than as part of that action
3. we already have laws on the books to make X illegal
4. it's either hard to detect X, or hard to gather evidence for X, or hard to make an unassailable case that X happened
5. it's easier to detect Y, or to gather evidence for Y, or to make an unassailable case that Y h
how to fix that (Score:2)
What would end intrusions almost immediately? Enacting law assigning financial liability to executives of those corporations and government agencies that are victims of attacks.
Victimhood is a choice made by executives. Those expensive ransom payments which the customers, stock holders and tax payers were forced to fund were the consequence of executive decisions against good security practices such as keeping up with software security updates, intrusion detection, backups, security audits, and having an
Re: (Score:2)
What would end intrusions almost immediately? Enacting law assigning financial liability to executives of those corporations and government agencies that are victims of attacks.
Why just there? Make the coders who fail to develop secure systems and leave in vulnerabilities liable as well and also employees who fail to follow security rules.
After all, you can't fix what you don't know exists and rules and procedures are only as good as those implementing them.
Re:how to fix that (Score:4, Insightful)
Victimhood is a choice made by executives. Those expensive ransom payments which the customers, stock holders and tax payers were forced to fund were the consequence of executive decisions against good security practices such as keeping up with software security updates, intrusion detection, backups, security audits, and having an emergency recovery plan in place.
True as far as it goes. Unfortunately you can't legislate competence.
Government's usual (successful) response to this sort of thing is to authorize the executive branch to come up with security standards and then demand that government contractors follow them. Things like FIPS exist because of such efforts, and FIPS in particular is reasonably successful. Unfortunately there is no way to create a standard called "Secure Your Networks" and have it be anything useful.
Banning payment of ransoms would probably help, especially if one of the inordinately large number of federal law enforcement agencies was instructed to make specific efforts to enforce the ban, including finding secret payments. That's how you get executives' attention legally and appropriately, rather than trying to get the Supreme Court to uphold piercing the corporate veil, which the Trump Supreme Court definitely won't go for. Make paying a ransom a felony with no jail time ('cause non-violent offense) and a nice fat fine and see how fast the hacking industry dries up.
Re: (Score:2)
What would end intrusions almost immediately? Enacting law assigning financial liability to executives
It would not end intrusions -- it would just make it impossible for companies to hire and retain executives without putting Waiver and indemnification contracts in place requiring the Companies to Insure their executives against and protect their executives from that liability, and it's not a kind of law that could be passed, anyways.
were the consequence of executive decisions against good security practic
Belly laugh from hell (Score:4, Interesting)
me: "What is the reason for this upgrade"
them: "We're at 98% capacity and are popping in RAM and disks to hold us over at this point"
me: "Show me what they're running"
them: 'H--e's o-r red-ct-d -epor-"
me: "This is there because someone said your DC isn't running properly, so they sold you a 'fix all'"
"This is here to backup the fixall"
"This is here to monitor the fixall"
"This is here to monitor the backup to the fix all"
"The is here to provide faster storage for the systems which are monitoring the fix all and backing them up"
"This is here to migrate the VMs of the fixall and all it's collateral systems since they weren't setup as redundant"
"This is here to run a second copy of the fixall to fix the fixall in case the first fixall fails"
"This i here to backup the..."
"Oh look, there's an actual application used by your agency for actual agency business... wait... that's the old one. Where's the new one?"
Them: "We put that into one of the cloud providers as it wasn't high security"
Me: "Ok... let's continue"
"Here's another fixall"
"Here's all the shit to run the fixall"
"Oh, here's an exchange server"
When I was done, I found out that 97% of the current used capacity was for systems on systems on systems which ran systems... which did IT things... but didn't actually do anything the agency needed. This IS NOT an exaggeration. This is not a made up figure. There is a possibility for a margin of error, I'd be willing to say that maybe, best case, it was 92%.
What I do know is that almost every system was installed by a sub-sub-contractor because every 18 months, the agency legally has to circulate a tender to allow contractors to battle over who will run the system for the next 18 months. In most cases, the sub-subs will just be taken over by whoever wins the bid. In a lot of cases, the contactors go into overtime, are no longer able to pay the sub-subs during the negotiation phase, so the sub-subs move onto the next contract. So, the people who worked on all the systems for the last 18 months leave with tons of half finished shit in production.
So, I explained to the people working at this agency... the people wearing the fancy suits, not the cheap ones... they should invest $1-$5 million in removing the useless crap running on their data centers and free up 90%+ capacity and tell the vendors to screw off.
They did...
And two weeks later started a new tender for the same upgrade but for a different reason... because it's that or negotiate a new service agreement for the old stuff.
In my personal opinion, the reason why these systems get hacked is because the government has rules in place to keep adding to the problems and replacing perfectly good systems with "even better" systems and none of them ever get properly installed or up and running.
It's like "This isn't working, should I pay someone to sit down, figure out what the problem is and then orchestrate getting it done properly?"
Re: (Score:3)
That list reads like number 8 [hpe.com] and possibly 10.
Yeah good luck with that. (Score:2)
Many if not most infrastructure attacks are state-sponsored. Its funny how these clueless Dems think a new US law will suddenly make the Chinese, Russian and N.Korean hackers working in their respective government's equivalents of the NSA cease and desist. Any person with more than half a brain can clearly see that of course it won't.
This also just shows how enacting laws is apparently all politicians are able to conceptualize no matter how clueless that action actually is to finding an effective solution.
Follow the money? (Score:4, Insightful)
Make any payments to the extortionists illegal and hold executives personally responsible if their company or contractors do so. Remove the profit motive.
Re: (Score:2)
>"Make any payments to the extortionists illegal and hold executives personally responsible if their company or contractors do so. Remove the profit motive."
^^^ This
No amount of endless drivel "standards" pushed on the IT industry is going to help. All it will do is cost everyone tons of money. This doesn't mean I am saying security isn't important. IT IS. But there are zillions of necessary ways to set up zillions of systems for zillions of different purposes.
Legislation needed to combat cyber attacks? (Score:1)
No, what's needed is to ban Microsoft Windows running on Intel hardware, from the Internet.
Great (Score:1)
Couple of LONG TERM suggestions.. (Score:1)
1. Make it completely illegal, with LONG Jail time, for Government Agencies, covert and not, to Weaponise flaws instead of advising vendors.
2. Make it mandatory for vendors to fix those flaws within 30 days.
3. Make backdoors in encryption illegal.
4. Make backdoors in software illegal.
5. Make retention of data beyond the lifespan of a transaction illegal without a warrant for all parties BUT the consumer.
6. Make all cloud stored data encrypted with zero knowledge to anyone but the consumer.
Sure, this sort of
Needs a financial incentive (Score:2)
Make it illegal to incur a ransomware attach due to poor security practices with a fine of 3 times the ransomware ask. Now there's a financial incentive to protect your network.
Re: (Score:2)
Make it illegal to incur a ransomware attach due to poor security practices with a fine of 3 times the ransomware ask.
It sounds like something those evil ransomware authors would use to create additional leverage - by setting a ransom where they just repeatedly increase their ask and threaten to turn their victim in for receiving the demands.
Cue up the emails: "Dear sir or madam. You've been hacked. Send $100 plus the wait fee of $100 for every hour to avoid your information leaked. until you send, as desc
I always thought (Score:2)
that enforcing laws on people (hackers) that are in other countries might be a little difficult, but I guess the senate doesn't think so.
Re: (Score:2)
This needs to be about enforcing laws on the _defenders_. They have created far too many badly locked or unlocked barn doors and that if what drives this type of crime in the first place. Getting into a well-defended network is expensive and invalidates the criminal business model behind the current problems.
Re: (Score:2)
I don't know if that is possible on open networks there will always be holes
Re: (Score:2)
I don't know if that is possible on open networks there will always be holes
I do not know either, but my intuition from doing IT Security for 30 years now is that you can make it hard enough to make it unattractive and hence make getting hacked a rare event. At the moment it is going towards something that happens far too often, because hacking many, many companies is _easy_.
Re: (Score:2)
They say in a bear attack you only have to run faster than the other person
Simple: Outlaw paying ransom (Score:2)
And do it with personal criminal liability for the decision makers, i.e. prison time. That would cut 99% of the problem right there and within a short time. Could even be small change, because funding criminal enterprises is already a crime itself.
Likely outcome (Score:3)
The review found that these crimes will be best addressed by requiring back doors into all encryption, further regulating crypto currency, and extending copyright terms for Disney.