(no title)
d33
|
1 year ago
I don't want this to sound cynical, but do we have any examples where the US government successfully got the corporations to actually increase security, as opposed to just gaming the regulations to make more money instead?
saghm|1 year ago
greyface-|1 year ago
https://docs.fcc.gov/public/attachments/DOC-402579A1.pdf
https://docs.fcc.gov/public/attachments/DOC-402609A1.pdf
AnthonyMouse|1 year ago
Government agencies regularly game regulations that apply to them in the same way as corporations. See e.g. FOIA, Fourth Amendment, qualified immunity, civil asset forfeiture.
kjellsbells|1 year ago
People like to dump on government but they can move the acceptable window/best practice to a place that corps would not have gotten to by themselves. Crypto is one, OWASP springs to mind, etc. But the government is not a homogeneous monolithic entity and it necessarily has to have some confliction built into it. You could have a bulletproof secure system for identity for example come out of NIST, say,...but the CIA would immediately need a workaround so that agents could assume new IDs in the field.
ddtaylor|1 year ago
edent|1 year ago
> we’re launching a new national awareness campaign to raise awareness of cyberthreats and encourage more Americans to move beyond passwords—adding an extra layer of security like a fingerprint or codes sent to your cellphone
Amongst other things.
kevincox|1 year ago
I guess it probably does raise the baseline, but at the cost of those who have good security practices.
unethical_ban|1 year ago
Edit: SOX, HIPAA, NIST CSF.
Government is not always bad.
AnthonyMouse|1 year ago
HIPAA is extraordinarily expensive, meanwhile healthcare providers continue to have abominable security because compliance is offloaded to a "compliance team" who comes around once in a while to check boxes without really understanding the system, which is managed by other people who don't really understand HIPAA. This is one of the reasons security in large organizations is hard. Bureaucracies gravitate toward bureaucratic solutions, but then the left hand doesn't know what the right hand is doing, which is a direct mechanism for security to get messed up.
SOX isn't really about "security", it's about auditing and so on, but it suffers from a disadvantageous trade off. Large companies are less likely to have accounting problems than smaller ones. The law was passed in response to major outliers like Enron, but basing rules on rare outliers generally results in bad rules. Meanwhile the smaller companies have disproportionately higher compliance costs, to the point that there have been proposals to exempt smaller companies. But that implies it probably isn't worth it for large companies because the rate of fraud is so low and it probably isn't worth it for small companies because the compliance costs are so high, and then there's nothing left.
Whereas NIST CSF is a different kind of thing because it's voluntary. This is where government publications can really do some good, because if they publish rubbish then nobody has to pay any attention to it and the cost is limited to the money they spent creating it, but if it's good then it's valuable to anyone who uses it. The government should definitely lean towards this method, but it's hard to call this one "regulations" -- and the criticism you're responding to was that corporations would end up "just gaming the regulations".
skeaker|1 year ago