Stories
Slash Boxes
Comments

SoylentNews is people

posted by cmn32480 on Tuesday April 18 2017, @01:43AM   Printer-friendly
from the we-should-demand-it dept.

Seventy years into the computer age, Moshe Y. Vardi at ACM wants to know why we still do not seem to know how to build secure information systems:

Cyber insecurity seems to be the normal state of affairs these days. In June 2015, the U.S. Office of Personnel Management announced it had been the target of a data breach targeting the records of as many as 18 million people. In late 2016, we learned about two data breaches at Yahoo! Inc., which compromised over one billion accounts. Lastly, during 2016, close to 20,000 email messages from the U.S. Democratic National Committee were leaked via WikiLeaks. U.S. intelligence agencies argued that the Russian government directed the breaches in an attempt to interfere with the U.S. election process. Furthermore, cyber insecurity goes way beyond data breaches. In October 2016, for example, emergency centers in at least 12 U.S. states had been hit by a deluge of fake emergency calls. What cyber disaster is going to happen next?

[...] The basic problem, I believe, is that security never gets a high-enough priority. We build a computing system for certain functionality, and functionality sells. Then we discover security vulnerabilities and fix them, and security of the system does improve. Microsoft Windows 10 is much, much better security-wise than Windows XP. The question is whether we are eliminating old vulnerabilities faster than we are creating new ones. Judging by the number of publicized security breaches and attacks, the answer to that question seems to be negative.

This raises some very fundamental questions about our field. Are we investing enough in cybersecurity research? Has the research yielded solid scientific foundations as well as useful solutions? Has industry failed to adopt these solutions due to cost/benefit? More fundamentally, how do we change the trajectory in a fundamental way, so the cybersecurity derivative goes from being negative to being positive?

Previously:
It's 2015. Why do we Still Write Insecure Software?
Report Details Cyber Insecurity Incidents at Nuclear Facilities


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 0) by Anonymous Coward on Tuesday April 18 2017, @09:15PM

    by Anonymous Coward on Tuesday April 18 2017, @09:15PM (#496019)

    Nice! I'm happy to see you changing it up a bit, and so far no downmod!

    There are times when society should create laws to protect against malfeasance. Public roads / bridges / other infrastructure should be held to a high safety standard, and that is only possible by creating a law with clear requirements. The biggest problem I see with eliminating government and moving to individual contracts is that no one is an expert on everything. This would make it very easy for a company to screw over its customers just to increase their profit margin.

    I imagine you might respond with "if they screw them over then no one would use that company and so the market would correct itself" but let me use an example.

    A small town needs a new bridge, so puts out a proposal and collects bids. They select a company that seems good, but the company ends up using cheaper materials and the bridge collapses in half the expected lifetime, say 10-20 years. Turns out this company had a history of doing this, so they get sued into oblivion but due to their corporate structure the owners were able to pocket the profits while tanking the company. Then they create a new company and start this process all over.

    More examples could be brought up, such as electronics devices not polluting the air waves and causing aircraft guidance problems, along with a million other circumstances which could easily be overlooked or actively ignored by private companies. Without a large agency to oversee these various issues there is no way to prevent such problems from happening. Whether you call it government, or the majority of people use a couple of trusted "oversight" companies, it doesn't mater. You effectively have the same concepts and humanity pays for it either through taxes or higher service / product costs.

    Personally I would choose the option of government for safety oversight. Private businesses have financial motivation for doing a bad job. Yes such corruption happens in government, but there is accountability. With private businesses there is much less accountability and history currently indicates that private businesses can and will make bad decisions in the pursuit of profit. Now we can have discussions about any particular piece of regulation, but you'll never convince me to hand the reigns over to profit motivated businesses.

    We have a big enough problem with corporate interests buying legislation, in your reality they would simply do as they please and the biggest corporations would become vertically integrated. In a very short time period you would have corporate states since who would be there to break up such monopolies? That would be 100X worse than government paired with private business.