The US Senate has started circulating a revised draft cyber-security law following failed attempts to pass a similar bill last term. The proposed dictum, produced by the committee for commerce, science and transportation and backed by committee head Jay Rockefeller (D, W Va) and ranking member John Thune (R, SD), is another try …
"It also demands more research and development in computer security defences,"
Why I don't say that doing science for science's sake is a bad thing I will say that with the problem at hand it's really not necessary.
Really, just applying what we know is enough: using default deny firewalls (both IP and application level), proper authentication (rate limiting, requiring high entropy passwords) and encryption to sensitive systems (with 2 factor auth for critical infrastructure or likely targets).
We have this figured out, problem is, it costs money. Money that in the end just reduces very nebulous risks, not eliminates them, and that doesn't balance well on MBA's spreadsheets... Enforcing the minimal security requirement is the only way to make the systems secure.
Re: More research
If only it were that simple.
Bugs in code also come in to play (e.g. environment variables that can be swapped out under you, files that can be changed whilst in use, exploitation of buffer overruns, reliance on tainted data, system calls passing passwords as plain-text command line parameters, etc.).
These are really hard to find, especially in legacy code. Static and dynamic analysis can help a bit, but most of these issues are generally undecidable from an analysis perspective given the current technology. It's going to take a lot of research to get anywhere with this.
Not too much
"[enhance] the security and resiliency of public and private communications..." but not too much, NSA still needs access.
Re: Not too much
Indeed. If you remember Clipper, key escrow, and all that, would you really expect them to be happy about putting strong asymmetric key cryptography into everybody's tablet and smartphone? Without that, confidentiality (aka privacy) is pretty much impossible.
"the security and resiliency of public and private communications and information networks"
But not of course, the privacy of those networks.
So BAU then.
Do you know what you're fighting to preserve?
Will there be anything left when you've "won" ?
Re: "the security and resiliency of public and private communications and information networks"
"Do you know what you're fighting to preserve?
Will there be anything left when you've "won" ?"
Isn't much left now. :/
The Global Operating Devices Honest Truth
One needs a certain sort .... indeed, even several new sorts of advanced and advancing intelligence, to have any hope of being in any way effective in having a lead influence in the virtual realm which hosts cyber security.
And Uncle Sam just doesn't have it ...... as is surely evidenced by the present being a clone of the past.?!
How about stop trying to cut costs by remotely managing these facilities; employ some actual people; and take the damn systems offline.
Doesn't seem particularly difficult.
NIST have a handbook on computer security.
Perhaps one day someone might IDK read it?
I'm kidding of course.
Re: NIST have a handbook on computer security.
I haven't read the latest version, but the previous version read as if it had been written in the '90's.
Republicans voting against the expansion of powers of the DHS? Whatever next...
The sooner this department is disbanded into its constituent agencies and the so-called patriot act is repealed, the better.
Do what you will about network security. The two biggest risks, in order, are the authorized system or database administrator who makes an error and the authorized, but malicious, system or database administrator administrator. It would be easy to name a few of the latter kind.