Tailpipe emmission standards

Posted Dec 5, 2013 20:33 UTC (Thu) by dlang (guest, #313)
In reply to: Tailpipe emmission standards by mathstuf
Parent article: Geer: Trends in cyber security

> And that, IMNSHO, is the (main) problem: legislating solutions rather than results :( .

and what makes you think that lawyers and politicians are going to do any better of a job legislating how computers should be secured than how to build cars?

that's the real problem with calls to require that only 'qualified' or 'good' people connect to the Internet.

Tailpipe emmission standards

Posted Dec 5, 2013 22:16 UTC (Thu) by mathstuf (subscriber, #69389) [Link]

I…agree? Legislating "how" (the solution) is usually a bad path. What you want is to expect results from things while also keeping an eye on the methods to make sure that the best reason for that path is better than "the ends justify the means". I think I would impose HIGH fines (proportional to company size and amount of data) for security leaks by companies. Ramp them up if the company isn't disclosing breaches in reasonable timeframes[1]. The problem is that fines are too low for companies to justify security because it's not *their* data and PR is such an ephemeral thing for those too big to fail.

[1]Apparently JP Morgan lost ~465,000 (pre-paid) CC numbers in July and it's only public[2] now because they couldn't "rule out the possibility that some card holders' personal data may have been accessed" instead of being proactive and saying "we've had a breach and your number may have been leaked" in, say, August.
[2]http://arstechnica.com/security/2013/12/hack-on-jpmorgan-...