Welcome to the MacNN Forums.

If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below.

You are here: MacNN Forums > News > Tech News > Obama wants stronger cyber-security laws in 2015

Obama wants stronger cyber-security laws in 2015
Thread Tools
NewsPoster
MacNN Staff
Join Date: Jul 2012
Status: Offline
Reply With Quote
Dec 23, 2014, 11:28 PM
 
Last Friday, at President Barak Obama's year-end press conference, Carrie Budoff Brown of Politico asked the first question. Her inquiry was whether Sony had done the right thing in canceling the release of the Seth Rogan comedy The Interview, and what a "proportional" US response to the North Korean-led cyber-attack on Sony would look like. While discussing the answers to those questions, President Obama called on Congress to help create stronger cyber-security laws.



The President mentioned that he had created a cyber-security team to work on preventing such attacks on government systems -- with notable success -- but also indicated that work had been done with the private sector. While progress had been made, he said, the President added that "we're not even close to where we need to be" on the issue. Obama also said he wanted to work with Congress next year to develop stronger cyber-security laws that "allow for information-sharing across private-sector platforms, as well as the public sector, so that we are incorporating best practices and preventing these attacks from happening in the first place."

Previous attempts at creating such laws have not gone well due to Congressional watering-down efforts, or have been opposed by President Obama himself amid concerns such laws would leave the public vulnerable to searches of their private information without a warrant.

Congress -- particularly the leaders coming into power in January -- have traditionally viewed the need for security as trumping privacy and civil liberties, whereas Obama has broadly been more in favor of finding non-partisan methods to balance security concerns without compromising fundamental US values, such as accelerating a move to more-secure chip-and-PIN EMV debit and credit cards, or encouraging the use of two-factor or multi-factor authentication that incorporates hardware and software in an effort to prevent cyber-attacks.

The Sony hack attack -- and the company's wishy-washy capitulation and reaction to it -- has given ammunition to those who view any cyber-attack on US businesses as an act of war. Obama has thus far declined to use hawkish language against North Korea, though he has promised a response to the intrusion.

He has noted, however, that all the country has been capable of doing is penetrating the insecure computer systems of a single movie studio, seemingly with the main goal of preventing the release of a light comedy that pokes fun at North Korea's military dictatorship. While some peripheral damage has been done, even the main goal of the campaign has failed, as Sony has found its spine and now says it will release The Interview in select theaters on Christmas as originally planned.

North Korea, in the meantime, has been struggling to stay connected to the larger Internet since this weekend, when the country's meager 1,024 IP addresses were flooded in a simplistic DDoS attack from an unknown group. The connection was restored on Monday, but is said to be unstable due to ongoing attacks, presumably in retribution for the Sony hack - but unlikely to be coming from any official US agency.
( Last edited by NewsPoster; Dec 23, 2014 at 11:29 PM. )
     
Mr. Strat
Dedicated MacNNer
Join Date: Jan 2002
Location: State of WA
Status: Offline
Reply With Quote
Dec 24, 2014, 11:26 AM
 
Yeah, pass more laws. That will fix the Internet.

How about just going away?
     
mgpalma
Forum Regular
Join Date: Sep 2000
Location: OR, USA
Status: Offline
Reply With Quote
Dec 24, 2014, 11:57 AM
 
How about just honoring the oath you took as president? More laws are *just* what we need...
-
Michael
     
besson3c
Clinically Insane
Join Date: Mar 2001
Location: yes
Status: Offline
Reply With Quote
Dec 24, 2014, 03:20 PM
 
You know that regulations are laws, right? Are you against the PCI standard? I don't understand the right wing knee jerking that suggests that all laws must be about placing restrictions on business, as opposed to putting in place legal frameworks to protect business, form international alliances, figure out the role that government should play in enforcing compliance to security standards, etc. I also don't understand this idea that all businesses will voluntarily do these things, especially those that are ignorant to why they should.

Why not turn this way of thinking the other way around and ask yourselves what the costs of fraud are to business, and what the costs are to us?

Tl;dr: don't be stupid.
     
just a poster
Forum Regular
Join Date: Jun 2004
Status: Offline
Reply With Quote
Dec 25, 2014, 10:32 AM
 
Obamacare for the internet... based entirely on lies and half-truths to create a high-cost, intrusive, and invasive bureaucratic state that rewards takers instead of workers or the public at large.

Businesses "voluntarily" secure their computers based on the value of the contents they hold. Not as secured means they're not as important, not up to some bureaucrat with nothing to do to say otherwise.
     
besson3c
Clinically Insane
Join Date: Mar 2001
Location: yes
Status: Offline
Reply With Quote
Dec 25, 2014, 08:18 PM
 
What are we even talking about? Why bring up Obamacare? The Obamacare for the Internet line was made by Ted Cruz (I think) in relation to Net Neutrailty, so I don't see much coherence to this post other than that you don't like Obama.

The value of the data on a particular machine is often virtually irrelevant to Cybersecurity. If you are interested in an actual discussion rather than simply venting about your generic and unfocused grievenences with Obama, let us know.
     
cgc
Professional Poster
Join Date: Mar 2003
Location: Down by the river
Status: Offline
Reply With Quote
Dec 25, 2014, 10:52 PM
 
Originally Posted by besson3c View Post
What are we even talking about? Why bring up Obamacare? The Obamacare for the Internet line was made by Ted Cruz (I think) in relation to Net Neutrailty, so I don't see much coherence to this post other than that you don't like Obama.

The value of the data on a particular machine is often virtually irrelevant to Cybersecurity. If you are interested in an actual discussion rather than simply venting about your generic and unfocused grievenences with Obama, let us know.
If you wanted this to be non-political why'd you bring up Ted Cruz? I think generally, the less government the better unless it'll help us all get along or protect us...
"Like a midget at a urinal, I was going to have to stay on my toes." Frank Drebin, Naked Gun 33 1/3: The Final Insult
     
unicast reversepath
Forum Regular
Join Date: Apr 2014
Location: 3rd Rock from the Sun
Status: Offline
Reply With Quote
Dec 26, 2014, 01:41 AM
 
Ted Cruz is more of a loose cannon than Obama.
He makes Obama look wise by comparison - what a clever illusion!
If you have Ghosts, you have Everything!
     
besson3c
Clinically Insane
Join Date: Mar 2001
Location: yes
Status: Offline
Reply With Quote
Dec 26, 2014, 03:11 PM
 
Originally Posted by cgc View Post
If you wanted this to be non-political why'd you bring up Ted Cruz? I think generally, the less government the better unless it'll help us all get along or protect us...
I didn't bring him up. The "Obamacare for the internet" was Cruz's quote, I thought this was an obvious parroting of him.

Cybersecurity measures are a pretty obvious area for regulation for me, and a big part of this protection is financial data which is already regulated by an international standard called PCI (we are up to version 3 of this standard, this is nothing new). Without support from the government, these sorts of international standards are pretty hard to broker and enforce. A standard like this allows provide a framework for businesses to do their thing without legal liability or as much worry about their data being compromised. Not every business that deals with financial data (i.e. any business or non-profit that accepts money) are cybersecurity experts, and it is not reasonable to expect that they ought to be.

There is no American internet, it is just the internet, we therefore need agreements, organizations, leadership, and, yes, government involvement to help secure our data. This is not the government actually storing our data or anything like that, but simply helping regulate an environment in which the free market can do its thing.

If we can't agree that this is an appropriate government application, with all due respect to all political beliefs, we are pretty ****ed.
     
chimaera
Dedicated MacNNer
Join Date: Apr 2007
Status: Offline
Reply With Quote
Dec 26, 2014, 03:41 PM
 
So they want new laws to prevent such attacks before they happen. The only way I can think of is to watch everyone in the world, to insure punishment afterwards. There's no way the bastion of freedom would monitor everyone for potential future crime. Not gonna happen.
     
besson3c
Clinically Insane
Join Date: Mar 2001
Location: yes
Status: Offline
Reply With Quote
Dec 26, 2014, 03:55 PM
 
Originally Posted by chimaera View Post
So they want new laws to prevent such attacks before they happen. The only way I can think of is to watch everyone in the world, to insure punishment afterwards. There's no way the bastion of freedom would monitor everyone for potential future crime. Not gonna happen.
Huh?

Do any of you guys understand anything about cybersecurity? Sorry to sound dick-ish in asking this, but really, there are a lot of opinions being bandied about here with no real technical backing being shared.

Zero-day threats are always a problem and always will be, but zero-day attacks are not always how damage is caused.

The US is behind other countries in payment tech, for example. All it takes to obtain credit card numbers is to intercept communication from the magnetic stripe readers in many stores, that information is unencrypted. Any store employee could do this. With the new EMV standard that includes a chip on the credit card that we'll finally see make it into America with Obama's new regulation (which simply backs EMV's decision to stop making the old style cards), information will now finally be encrypted, but I digress. The point is if obtaining credit card information is this easy, hackers don't necessarily have to go to such great lengths. It is much easier to follow a pretty easy recipe.

This is why there is billions of dollars spent each year in dealing with fraud. If the free market is the cure-all, why is America only now starting to roll out modern credit cards? Why aren't all businesses PCI compliant? Yes, this is a leading question. The answer is that this weird free-market religion is not infallible.
     
chimaera
Dedicated MacNNer
Join Date: Apr 2007
Status: Offline
Reply With Quote
Dec 26, 2014, 04:01 PM
 
@besson3c, they didn't say "prevent successful attacks" before they happen, they said "prevent attacks" before they happen. So this isn't about hardening security. It's about precrime. So they need a time machine, or several precogs (for redundancy), or they need to monitor everyone worldwide for deterrence value.
     
besson3c
Clinically Insane
Join Date: Mar 2001
Location: yes
Status: Offline
Reply With Quote
Dec 26, 2014, 04:08 PM
 
Originally Posted by chimaera View Post
@besson3c, they didn't say "prevent successful attacks" before they happen, they said "prevent attacks" before they happen. So this isn't about hardening security. It's about precrime. So they need a time machine, or several precogs (for redundancy), or they need to monitor everyone worldwide for deterrence value.
He said that we generally aren't where he'd like to be in dealing with Cybersecurity threats, which is what I was commenting on primarily. In regards to:

Obama also said he wanted to work with Congress next year to develop stronger cyber-security laws that "allow for information-sharing across private-sector platforms, as well as the public sector, so that we are incorporating best practices and preventing these attacks from happening in the first place."
This is, for example, banks making the owner of a credit card available across the private sector to verify that card (although we can verify the card's billing address via AVS), perhaps APIs for verification of government ID, etc. There are *tons* of things that could be done, and again, it isn't happening on its own, is it? It isn't always profitable to deal with potential problems preemptively.
     
just a poster
Forum Regular
Join Date: Jun 2004
Status: Offline
Reply With Quote
Jan 2, 2015, 07:32 PM
 
Before calling me "right wing", why don't you find out what is actually being proposed in this law?

The important questions to ask are:

1- what new practices are being proposed, specifically
2- will they be effective
3- who is going to pay for them
4- what are the penalties for ignoring safe practices

For instance, the NSA provides a pdf detailing "security configuration guidelines" for various operating systems and computer configurations already. Besides firewalls, secure passwords, and antivirus software, they advise such conveniences as removing the microphone and camera from a computer. How many consumers do that?

It's like I said, companies already have a vested business interest in protecting their data and spend money on cybersecurity accordingly. If they deem the data unimportant, they implement less security than if the data were important.
     
besson3c
Clinically Insane
Join Date: Mar 2001
Location: yes
Status: Offline
Reply With Quote
Jan 2, 2015, 10:19 PM
 
Originally Posted by just a poster View Post
Before calling me "right wing", why don't you find out what is actually being proposed in this law?

The important questions to ask are:

1- what new practices are being proposed, specifically
2- will they be effective
3- who is going to pay for them
4- what are the penalties for ignoring safe practices

For instance, the NSA provides a pdf detailing "security configuration guidelines" for various operating systems and computer configurations already. Besides firewalls, secure passwords, and antivirus software, they advise such conveniences as removing the microphone and camera from a computer. How many consumers do that?
A set of guidelines are not laws.

It's like I said, companies already have a vested business interest in protecting their data and spend money on cybersecurity accordingly. If they deem the data unimportant, they implement less security than if the data were important.
That's not how cybersecurity works.

Why do universities want the machines on the network to be virus free? Not because they care about the data on the individual PCs, they don't, but because a compromised PC can drain network resources, can join botnets that can be used to wage a variety of remote attacks, can self-propagate, etc.

No offense, but this comment shows that you don't really understand cybersecurity. The golden egg is hardly ever the data on individual PCs, and the fact that beliefs like this are pretty common is why the responsibilities of cybersecurity are best not left in the hands of Joe Sixpack, especially when we are talking about financial data here.
     
just a poster
Forum Regular
Join Date: Jun 2004
Status: Offline
Reply With Quote
Jan 3, 2015, 05:26 PM
 
Originally Posted by besson3c View Post
No offense, but this comment shows that you don't really understand cybersecurity.
None taken. You assume you're competent and I'm incompetent.

I'm of the opinion that we should read these laws before we pass them to find out what's in them. Then we can determine who understands cyberprivacy vs who's being Grubered or being a Gruber.
     
besson3c
Clinically Insane
Join Date: Mar 2001
Location: yes
Status: Offline
Reply With Quote
Jan 3, 2015, 06:51 PM
 
Originally Posted by just a poster View Post
None taken. You assume you're competent and I'm incompetent.

I'm of the opinion that we should read these laws before we pass them to find out what's in them. Then we can determine who understands cyberprivacy vs who's being Grubered or being a Gruber.

This is a strawman argument. I never claimed that we shouldn't read over these laws carefully.
     
just a poster
Forum Regular
Join Date: Jun 2004
Status: Offline
Reply With Quote
Jan 3, 2015, 08:02 PM
 
Originally Posted by besson3c View Post
This is a strawman argument. I never claimed that we shouldn't read over these laws carefully.
Dying to know what protections the NSA security guidelines are missing.

Are operational systems with built-in backdoors EVER secure?
     
besson3c
Clinically Insane
Join Date: Mar 2001
Location: yes
Status: Offline
Reply With Quote
Jan 3, 2015, 08:51 PM
 
I've mentioned at least one. Do you have any idea how much financial fraud costs annually, and how woefully outdated current credit card technology is in this country?

Is this desirable? This is a very leading question, but I really don't understand why anybody would be resistant of most Cybersecurity efforts. There is so much room for improvement and this improvement is not going to magically come about without proper regulation.
( Last edited by besson3c; Jan 3, 2015 at 09:02 PM. )
     
just a poster
Forum Regular
Join Date: Jun 2004
Status: Offline
Reply With Quote
Jan 5, 2015, 11:36 AM
 
Originally Posted by besson3c View Post
I've mentioned at least one. Do you have any idea how much financial fraud costs annually, and how woefully outdated current credit card technology is in this country?
I don't know how much financial fraud costs annually. I suppose it depends on what is considered fraud when making the calculation, and who ends up being responsible for it.

Originally Posted by besson3c View Post
Is this desirable? This is a very leading question, but I really don't understand why anybody would be resistant of most Cybersecurity efforts. There is so much room for improvement and this improvement is not going to magically come about without proper regulation.
If outdated technology causes credit card fraud, wouldn't credit card companies (which, presumably, work to earn a profit) invest in updating their infrastructure to more secure technology on their own to prevent it?
     
besson3c
Clinically Insane
Join Date: Mar 2001
Location: yes
Status: Offline
Reply With Quote
Jan 5, 2015, 12:50 PM
 
Originally Posted by just a poster View Post
I don't know how much financial fraud costs annually. I suppose it depends on what is considered fraud when making the calculation, and who ends up being responsible for it.
A quick Google search pulled up this article from 2011 which claims that it cost $190 billion in credit card fraud alone:

Solving the $190 billion Annual Fraud Problem: More on Jumio - Forbes

If you want to get into identity theft and other related forms of financial fraud, this no doubt gets into the trillions today. Big enough of a problem?


If outdated technology causes credit card fraud, wouldn't credit card companies (which, presumably, work to earn a profit) invest in updating their infrastructure to more secure technology on their own to prevent it?
It's not this simple.

A single company can't decide it is going to update their technology and expect greater security. With a payment there are retailers, point of sale devices, payment gateways, banks, and credit card companies involved - each with their own infrastructure, security practices, tech stacks, etc. Replacing infrastructure is expensive, and it is not going to happen if there is a ROI for each of the individual stakeholders that will be paying the bills.

EMV (Euro/Mastercard/VISA) has put forth a new standard a long time ago that the US will finally be adopting this year that puts a microchip on each credit card to provide some encryption. Many other countries have already adopted this standard. Why? Because in part their governments have been more involved in setting up regulation that supports this standard. The US has been holding off because of the cost of replacing this infrastructure, until EMV finally said they were going to stop making cards without the chip, so Obama had to mandate that we finally go along with this standard. What an embarrassment for this country that we couldn't even agree upon supporting a standard that is actually for our greater good.

There are costs to not making changes like this, but there are ways that businesses can deal with these expenses in other ways without having to face these upfront costs. For example, it doesn't really cost Verizon or AT&T as much as they charge for international data plans, but they profit so greatly from the status quo and users have no real choice because of the carrier's positions that they have absolutely no incentive to change, so they stick to price gouging. It would take an anti-trust like piece of legislation/regulation to put an end to this price gouging, but Americans are dumb and don't make their governments keep businesses in check this way because free market freedom and blah blah blah.

I totally get the arguments behind an intrusive government, small government, etc. However, regulation is one of the jobs we need the government to do. There is no benefit to pretending that they don't really need to do this job effectively.
( Last edited by besson3c; Jan 5, 2015 at 03:10 PM. )
     
just a poster
Forum Regular
Join Date: Jun 2004
Status: Offline
Reply With Quote
Jan 5, 2015, 04:09 PM
 
OK, so fraud costs credit card companies or retailers $190B, but they don't want to upgrade their infrastructures. This must mean that upgrading the infrastructure, assuming it will prevent all future fraud, will cost more than $190B.

So you propose the government step in and fund the money required to upgrade the infrastructure with taxpayer dollars? This is why we have an $18T debt.
     
besson3c
Clinically Insane
Join Date: Mar 2001
Location: yes
Status: Offline
Reply With Quote
Jan 5, 2015, 04:42 PM
 
Originally Posted by just a poster View Post
OK, so fraud costs credit card companies or retailers $190B, but they don't want to upgrade their infrastructures. This must mean that upgrading the infrastructure, assuming it will prevent all future fraud, will cost more than $190B.

So you propose the government step in and fund the money required to upgrade the infrastructure with taxpayer dollars? This is why we have an $18T debt.

It won't cost the government $190B to upgrade the infrastructure. It will cost the industry some unknown amount of money, not doing anything will cost the industry some unknown amount of money. These numbers fluctuate and the latter is on the rise. The government does not have to fund anything, it has to provide regulation and work with businesses to make this transition. It actively promotes PCI compliance as well, and has put in place a legal framework where your business can be held liable if you are out of compliance. We aren't asking them to do anything but provide legal backing, there is no funding necessary.

You are looking at this far too simply as if proper security is just a line item on a balance sheet. It doesn't work to think of it that way (the same is true for national security, are you in support of having the military we have now? Just wondering)

Why ideologues might look at this with knee-jerk partisan responses, others might be legitimately thankful for government leadership on this. Without the international PCI standard, for example, many businesses would have no idea how to secure their financial data since for many this is outside the scope of the core competency of their business. For example, it us unreasonable to expect that some artisan know how to accept credit cards for people that want to buy her quilts. That artisan would surely appreciate the fact that the devices she uses have been (hopefully) tested for compliance, and all of her customers would appreciate the fact that their credit card data they have provided is also being kept more secure than it would be if credit card processing was the wild west.

Have you ever given somebody your credit card number over the phone? I think all of us have, back in the day. These days this just doesn't fly, and part of this is because PCI compliance encourages certain behaviors. Many Americans will blather on about how this is strong-arming, but the fact is many Americans (including these blathering folk) don't know the first thing about secure credit processing, and quite frankly, I'm fine with a technically sound dictatorial approach here.
     
besson3c
Clinically Insane
Join Date: Mar 2001
Location: yes
Status: Offline
Reply With Quote
Jan 5, 2015, 04:42 PM
 
Of course, I recognize the irony of calling for less blathering while blathering myself
     
   
Thread Tools
 
Forum Links
Forum Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Top
Privacy Policy
All times are GMT -4. The time now is 12:24 AM.
All contents of these forums © 1995-2017 MacNN. All rights reserved.
Branding + Design: www.gesamtbild.com
vBulletin v.3.8.8 © 2000-2017, Jelsoft Enterprises Ltd.,