back to article New draft cybersecurity law: US Senate hits ctrl-alt-del, reboot

The US Senate has started circulating a revised draft cyber-security law following failed attempts to pass a similar bill last term. The proposed dictum, produced by the committee for commerce, science and transportation and backed by committee head Jay Rockefeller (D, W Va) and ranking member John Thune (R, SD), is another …

COMMENTS

This topic is closed for new posts.
  1. Tomato42

    More research

    "It also demands more research and development in computer security defences,"

    Why I don't say that doing science for science's sake is a bad thing I will say that with the problem at hand it's really not necessary.

    Really, just applying what we know is enough: using default deny firewalls (both IP and application level), proper authentication (rate limiting, requiring high entropy passwords) and encryption to sensitive systems (with 2 factor auth for critical infrastructure or likely targets).

    We have this figured out, problem is, it costs money. Money that in the end just reduces very nebulous risks, not eliminates them, and that doesn't balance well on MBA's spreadsheets... Enforcing the minimal security requirement is the only way to make the systems secure.

    1. Anonymous Coward
      Anonymous Coward

      Re: More research

      If only it were that simple.

      Bugs in code also come in to play (e.g. environment variables that can be swapped out under you, files that can be changed whilst in use, exploitation of buffer overruns, reliance on tainted data, system calls passing passwords as plain-text command line parameters, etc.).

      These are really hard to find, especially in legacy code. Static and dynamic analysis can help a bit, but most of these issues are generally undecidable from an analysis perspective given the current technology. It's going to take a lot of research to get anywhere with this.

  2. TheUglyAmerican
    Thumb Up

    Not too much

    "[enhance] the security and resiliency of public and private communications..." but not too much, NSA still needs access.

    1. Yes Me Silver badge
      Meh

      Re: Not too much

      Indeed. If you remember Clipper, key escrow, and all that, would you really expect them to be happy about putting strong asymmetric key cryptography into everybody's tablet and smartphone? Without that, confidentiality (aka privacy) is pretty much impossible.

      Nothing changes.

  3. John Smith 19 Gold badge
    Unhappy

    "the security and resiliency of public and private communications and information networks"

    Hahahahahahahaha.

    But not of course, the privacy of those networks.

    So BAU then.

    Do you know what you're fighting to preserve?

    Will there be anything left when you've "won" ?

    1. Wzrd1 Silver badge

      Re: "the security and resiliency of public and private communications and information networks"

      "Do you know what you're fighting to preserve?

      Will there be anything left when you've "won" ?"

      Isn't much left now. :/

  4. amanfromMars 1 Silver badge

    The Global Operating Devices Honest Truth

    One needs a certain sort .... indeed, even several new sorts of advanced and advancing intelligence, to have any hope of being in any way effective in having a lead influence in the virtual realm which hosts cyber security.

    And Uncle Sam just doesn't have it ...... as is surely evidenced by the present being a clone of the past.?!

  5. nuked
    Boffin

    How about stop trying to cut costs by remotely managing these facilities; employ some actual people; and take the damn systems offline.

    Doesn't seem particularly difficult.

  6. John Smith 19 Gold badge
    Unhappy

    NIST have a handbook on computer security.

    Perhaps one day someone might IDK read it?

    I'm kidding of course.

    1. Anonymous Coward
      Anonymous Coward

      Re: NIST have a handbook on computer security.

      I haven't read the latest version, but the previous version read as if it had been written in the '90's.

  7. Metrognome

    Say what?

    Republicans voting against the expansion of powers of the DHS? Whatever next...

    The sooner this department is disbanded into its constituent agencies and the so-called patriot act is repealed, the better.

  8. tom dial Silver badge

    Do what you will about network security. The two biggest risks, in order, are the authorized system or database administrator who makes an error and the authorized, but malicious, system or database administrator administrator. It would be easy to name a few of the latter kind.

This topic is closed for new posts.

Other stories you might like