Biden Administration Releases National Cybersecurity Strategy (axios.com) 29
The Biden administration is promising to hold software developers and critical infrastructure to tougher security standards and apply more pressure on ransomware gangs as part of its first national cybersecurity strategy, released Thursday. From a report: The nearly 40-page document provides a roadmap for new laws and regulations over the next few years aimed at helping the United States prepare for and fight emerging cyber threats. The strategy -- which was crafted by the two-year-old Office of the National Cyber Director (ONCD) -- has five "pillars": defend critical infrastructure; disrupt and dismantle threat actors; shape market forces to drive security and resilience; invest in a resilient future; and forge international partnerships.
The strategy includes a wide range of tasks, from modernizing federal systems' cybersecurity defenses to increasing offensive hacking capabilities in the intelligence community. The administration will start working with Congress and the private sector on legislation that would hold software makers liable for security flaws if they fail to follow security best practices, like those developed by the National Institute of Standards and Technology.
The strategy includes a wide range of tasks, from modernizing federal systems' cybersecurity defenses to increasing offensive hacking capabilities in the intelligence community. The administration will start working with Congress and the private sector on legislation that would hold software makers liable for security flaws if they fail to follow security best practices, like those developed by the National Institute of Standards and Technology.
This will end well (Score:5, Insightful)
The administration will start working with Congress and the private sector on legislation that would hold software makers liable for security flaws if they fail to follow security best practices, like those developed by the National Institute of Standards and Technology.
Tell me you don't understand the complexity of modern software without telling me you don't understand the complexity of modern software.
This coming from the same government which failed to understand that it takes a certain amount of water to flush a turd, and they think they should be regulating software security practices? I can't wait to see what low-flush software security looks like.
Re: (Score:2)
Nice FP, but we've already lost this battle. Wasn't it that REAL Republican Abe Lincoln who said something about the house divided against itself? But I still blame Microsoft for perfecting the EULA approach to no-liability software. Can you imagine how different the software industry would be if that stunt hadn't worked? (Me neither.)
Still, I'll ahead and ask for an up-to-date citation. The best book I've read (of many) on this topic is still Cyber War by Richard Clarke. Surely there's something better t
Re: (Score:3)
Don't get your knickers in a twist about it because it's just a part of the song and dance where they pretend they're interested in governing responsibly and the media pretend to believe them.
Re: (Score:2)
Don't get your knickers in a twist about it because it's just a part of the song and dance where they pretend they're interested in governing responsibly and the media pretend to believe them.
Hey, I've heard that one before, in Russia they call it a "vranya".
Re: (Score:2)
I'm thinking that this is probably not intended to actually force secure software, but rather start to add some compliance requirements, and create barriers of entry for imported internet connected devices. After all, following "best practices" can really be whatever the industry decides, be it good or bad.
I suspect that the least worst scenario will be to force development to plan for security testing, and document it in an auditable manner. Meanwhile, hardware has certain security standards and devices (s
Re: (Score:2)
add some compliance requirements
Which is a potential disaster for OSS, because companies will be afraid to run anything that isn't officially certified as compliant.
Also, holding open source developers responsible for failed compliance? Good luck with that. This entire concept is poorly conceived and it's like it was written by someone who has no clue whatsoever how the internet actually works. They're laboring under the delusion that security works like it does in the physical world, where you can just put a lock on a door which has b
Re:This will end well (Score:4, Informative)
Some of that may be by design. Guarantee if they actually implement anything it will be lobbied by the big money software companies into something that pushes smaller companies out of the market, and probably gets rid of OSS as a viable concept for anybody that's not just hobby-tinkering around on their own things.
That's the way our government works. Announce something way before action. Allow the big industry players to pool their resources (i.e. bribe money), take "public input" on the matter to make it look like they care, implement all the things suggested by the big money movers, then laugh at the public when they ask WTF they were thinking.
Re: (Score:2)
Devils in the details, I would hope whatever law is passed allows some degree of prosecutorial discretion, that an OSS project that maybe has some holes that need plugging is not going to undergo nearly the amount of scrutiny as a major corporation.
Would any of us object if DOJ went after LogMeIn, a $1.2B corporation for the absolute debacle that seems to be the LastPass breach, or the multiple breaches TMobile or another companies have had for their likely corner cutting and poor practices?
We are also prob
Re: (Score:1)
I would rather the DOJ ceased to exist. LogMeIn has always been a polished turd, whoever decided that the people behind the GoToMeeting malware (if you ever needed to join a GoTo meeting, you required the always-on, intrusive and ad-driven annoyosoft that reminded you every hour you didn't pay for the product) were trustworthy enough with their passwords kind of deserves it.
Re: (Score:2)
I mean we can blame the consumer all we want but that doesn't really solve anything nor does it excuse a corporation for such lax security practices with peoples data, especially security info. When there is such incompetence or even malfeasance I think there should be consequences beyond a fine or some credit monitoring. Examples need to be made, that's one of the concepts of justice in the first place (and yes, we need a DOJ, if you want to call it something different go ahead but libertarians always en
Re: (Score:1)
GoTo purchased some successful early players in the field and a lot of large corps didn't know or care to change the service.
In the end, the market has to punish them, a small fine won't do. People have to actively get involved in the security practices of their vendors, that is slowly changing, but having implemented it, it is shocking how many even infosec and other large players can't provide a self-certification of having implemented something like the standard NIST guidelines, SOC2, HITRUST or ISO.
Re: (Score:2)
Well they cared enough to entirely switch off for video conferencing so many did care. During the pandemic Zoom basically ate their lunch.
In the end, the market has to punish them, a small fine won't do.
That's half my point, a fine won't do but the market has shown time, time, and time again that it is not fully capable of "punishing" bad actors in the space, especially entrenched large ones.
can't provide a self-certification of having implemented something like the standard NIST guidelines, SOC2, HITRUST or ISO.
Seems like agree that if implemented properly what the Biden admin is doing is good?
Re: (Score:1)
I just don't like that the government is forcing us down a path that is half-baked. I think some corporation(s) should be more vigilant towards HITRUST compliance whilst others perhaps should be more along the lines of PCI compliance.
If the government dictates which standard to follow, we get things like HIPAA which is half-baked, it doesn't even enforce encryption, because even though available at the time, the biggest players didn't implement it so the government made a "standard" that makes recommendati
Re: (Score:2)
They're laboring under the delusion that security works like it does in the physical world, where you can just put a lock on a door which has been certified to withstand X number of whacks from a sledgehammer and you're good.
The IT industry is laboring under the delusion that their EULAs and ToSs will protect them from all liability. Fun fact: The same group that made "withstand X number of whacks" a legal requirement for physical security can make the equivalent legal requirement for IT security.
Which is a potential disaster for OSS, because companies will be afraid to run anything that isn't officially certified as compliant.
OSS isn't entitled to a market. You wanna play the game? Then you have play by the rules of the game. If the rules say "you must implement X" and you refuse to do so, then you don't get to play. That goes for Proprietary crap as well
Re: (Score:1)
Really? (Score:2)
Cyber? (Score:1)
Usually things with "cyber" in their names are underwhelming. It's a dumb word unless you're talking cybernetics. Which software is only loosely part of...
Re: (Score:2)
Cyber.. steersman, as of a boat.
Yeah right (Score:1, Flamebait)
Biden can't even spell cybersecurity. This is being pushed by some low level hack with no understanding of the topic. Worse, they'll just appoint some czar to it and it will go nowhere but still cost 100 billion somehow. Can't wait for the nonbinary pansexual transracial paraplegic they put in charge of this one.
Re: (Score:1)
Cannot Have Security Without Privacy (Score:2)
Support "No-Opt-In-By-Default" Polices (Score:2)
How are they ensuring no repeat of SolarWinds (Score:2)
and OPM debacles? Will the decision makers go to jail?
Biden is coming to destroy the software industry (Score:2)
Game over
It's easy! (Score:2)
1. Outsource it to Oracle.
2. Blame Oracle when the next Colonial Pipeline situation happens.
3. Fine Oracle $1 Billion for the failure.
4. Allow Oracle to raise their government contract renewals by $2 Billion to cover the fines.
5. Profit!
YA! Another strategy! (Score:2)
Strategy checklist item #1 (Score:2)
surely must be:
Do not abandon a laptop full of stuff at a repair shop.
Closely related:
Do not entrust important data or hardware to drunks and/or drug addicts.
After those, the really tricky stuff like "don't use 1234 or 'password' as your password" and then the super-expert stuff like "don't click on urgent links in your emails and then enter all your personal info to 'verify your account'"
All the Einstein-level actual serious security stuff is best left to the private sector rather than the agencies created
oh, it's riskier to dev now? k thanx bye (Score:2)
If we're going after devs for security breeches, then expect price of devs to soar.