Laws won’t stop cybercriminals, say experts

They won’t?
Tell us something we didn’t know.

(A follow-on to http://www.securityabsurdity.com/failure.php)

Is this any different from the Canukistani Federal Gun Registry Boondoggle?
You expect criminals to register their guns?

“You can’t attack this castle unless you are this high”
Its back to erecting a pole in your garden for the burglars to run into and knock themselves out on.

http://www.infoworld.com/article/06/05/10/78183_HNlegalsol_1.html

Terrorists and organized criminals are using computer vulnerabilities to line their pockets, but many cybersecurity ideas coming out of the U.S. Congress may not help much, some experts said Wednesday.

Congress tends to make reactive laws, too late, that address style not substance and get rolled in with other matters that dilute and weaken. Look at DHS. Where’s its budget? Where’s it vision?

I’ve read other articles recently to the effect that people who manage technology can no longer remain ignorant of the technologies they manage. Sadly, we’ve had a ‘management’ view that the science of management is independent of what it manages. We are not seeing the end of that paradigm.

Since a rash of data breaches in early 2005, Congress has introduced more than 10 bills related to data breach notification.

TEN!! Can’t they get it right?
Obviously not.
But with a shotgun you don’t have to be precise, do you?

The working model for a data breach bill seems to be the SOX law, which has cost U.S. businesses hundreds of millions of dollars Kobayashi said. “The model is a sledgehammer,” he said. “What economists hope is Congress steps back and looks at the costs and benefits before they do something like that.”

I’m sorry? Why should they do that?
Yes it would be nice, even sensible, but what evidence is there from past behaviour that they do this?

Instead of waiting for Congress to act, businesses should demand more secure IT products, said Ken Silva, chief security officer for security vendor VeriSign Inc. He encouraged technology buyers to join organizations that advocate for more secure products.

Well, lest skip the ‘self serving’ bit in that, and just look at “What do you mean by ‘secure’?”. When we’ve solved that we can start on the trivial stuff like “Does God Exist” and “why do men and women have trouble communicating”.

“We can’t wait for Congress to solve this problem because it’s not going to solve the problem,” Silva said. “The fact of the matter is extortion is already illegal. Passing a law to make electronic extortion even more illegal looks good on television, but it doesn’t really solve the problem.”

Therein lies the difference between the US and the Canukistani approach. Here in the GWN we have a “Criminal Code”. Instead of whole new bills that are “Seen to be doing something”, we insert an extra clause in the Criminal code to extend scope or definition.

As its says above, extortion is extortion is extortion. Fraud is fraud is fraud is fraud. It doesn’t matter what medium or technology.

This is no different from what I preach in my workshops on Developing Policies and Procedures. I try to show that your “Access Control” policy is NOT about passwords, its about authorization – be it to the computer, the parking lot or the executive washroom. If you have all your policy as ‘reductionist’ low level statements, each one addressing a technology rather than an principle, you will be forever revising them.

But some people never seem to learn from past mistakes. What’s the line in my quotable quote database…

People who won’t quit making the same mistake over and over are what we call conservatives.
– Richard Ford, in his novel Independence Day

(Note the small ‘c’. Ford should have listened to Disraeli.)
However I can find about a dozen more in the quotes database that are appropriate.

About the author

Leave a Reply