Stories
Slash Boxes
Comments

SoylentNews is people

posted by janrinok on Thursday March 16 2023, @11:51PM   Printer-friendly

The US government looks poised to force tech companies to do more about security:

The US government, worried about the continuing growth of cybercrime, ransomware, and countries including Russia, Iran, and North Korea hacking into government and private networks, is in the middle of drastically changing its cybersecurity strategy. No longer will it rely largely on prodding businesses and tech companies to voluntarily take basic security measures such as patching vulnerable systems to keep them updated.

Instead, it now wants to establish baseline security requirements for businesses and tech companies and to fine those that don't comply.

It's not just companies that use the systems who might eventually need to abide by the regulations. Companies that make and sell them, such as Microsoft, Apple, and others could be held accountable as well. Early indications are that the feds already have Microsoft in their crosshairs — they've warned the company that, at the moment, it doesn't appear to be up to the task.

[...] In theory, if those standards aren't met, fines would eventually be imposed. Glenn S. Gerstell, former general counsel of the National Security Agency, explained it this way to the Times: "In the cyberworld, we're finally saying that Ford is responsible for Pintos that burst into flames, because they didn't spend money on safety." That's a reference to the Ford Pinto frequently bursting into flames when rear-ended in the 1970s. That led to a spate of lawsuits and a ramp-up in federal auto safety regulations.

But cybersecurity requirements backed by fines aren't here yet. Dig into the new document and you'll find that because the new strategy is only a policy document, it doesn't have the bite of law behind it. For it to go fully into effect, two things need to happen. President Biden has to issue an executive order to enforce some of the requirements. And Congress needs to pass laws for the rest.

It's not clear when lawmakers might get around to moving on the issue, if ever, although Biden could issue an executive order for parts of it.

[...] So, what does all this have to do with Microsoft? Plenty. The feds have made clear they believe Microsoft has a long way to go before it meets basic cybersecurity recommendations. At least one top government security official has already publicly called out Microsoft for poor security practices.

Cybersecurity and Infrastructure Security Agency Director Jen Easterly recently criticized the Microsoft during a speech at Carnegie Mellon University. She said that only about one-quarter of Microsoft enterprise customers use multifactor authentication, a number she called "disappointing." That might not sound like much of a condemnation, but remember, this is the federal government we're talking about. It parses its words very carefully. "Disappointing" to them is the equivalent of "terrible job" anywhere else.

[...] Even without laws and executive orders, the company could be in trouble. The US government spends billions of dollars on Microsoft systems and services every year, a revenue stream that could be endangered if Microsoft doesn't adhere to the standards.


Original Submission

 
This discussion was created by janrinok (52) for logged-in users only, but now has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
(1)
  • (Score: 4, Funny) by krishnoid on Friday March 17 2023, @12:23AM (4 children)

    by krishnoid (1156) on Friday March 17 2023, @12:23AM (#1296587)

    If it can generate code that looks good and compiles, why can't it identify security gotchas in existing code?

    • (Score: 5, Interesting) by canopic jug on Friday March 17 2023, @04:09AM (3 children)

      by canopic jug (3949) Subscriber Badge on Friday March 17 2023, @04:09AM (#1296625) Journal

      If it can generate code that looks good and compiles, why can't it identify security gotchas in existing code?

      You're misunderstanding what m$ CoPilot does and what it is for.

      It does not and cannot generate new code. It merely copies and recombines existing code, albeit sometimes in permutations which might at first glance look novel. What it is actually for is to strip those pesky licenses and copyright attributions from the code. If programmer $DEVELOPER has published code under $LICENSE and businesses have an ideological objection to following copyright law, they can just run the code from $DEVELOPER through m$ CoPilot and out comes "new" code without said pesky $LICENSE. Then they can claim that CoPilot did all the dirty work and that they are absolved from wrongdoing in the eyes of the non-technical, non-coding court.

      --
      Money is not free speech. Elections should not be auctions.
      • (Score: 2) by Freeman on Friday March 17 2023, @02:58PM (2 children)

        by Freeman (732) on Friday March 17 2023, @02:58PM (#1296693) Journal

        Still, should algorithms / code blobs be copyrightable? I would say, No. Shouldn't we want, X best way to do Y thing be "the way things are done"? I would say, yes, yes we really want that, thanks.

        Reality, $$$$, nice doing business.

        --
        Joshua 1:9 "Be strong and of a good courage; be not afraid, neither be thou dismayed: for the Lord thy God is with thee"
        • (Score: 2) by canopic jug on Friday March 17 2023, @03:27PM (1 child)

          by canopic jug (3949) Subscriber Badge on Friday March 17 2023, @03:27PM (#1296698) Journal

          Still, should algorithms / code blobs be copyrightable? I would say, No.

          Algorithms are different than their output. The US Copyright Office has decided that the output of AI algorithms is not eligible for copyright [theverge.com], so it'd not be even a short stretch to see the same view taken on code. However, the point being made is that the algorithms don't actually produce code but merely recombine and even outright plagiarize existing code.

          --
          Money is not free speech. Elections should not be auctions.
          • (Score: 2) by Freeman on Friday March 17 2023, @05:05PM

            by Freeman (732) on Friday March 17 2023, @05:05PM (#1296709) Journal

            Still, I think "plagiarizing" code shouldn't be a thing. Now, if you're actually trying to make X site look like Y site, sure that should be able to be covered by copyright/trademark or other laws. In the event that you're using similar or snippets of code that are exactly the same to design a totally different site. One that isn't designed to look exactly like the other site, then those snippets of code, shouldn't be a problem. You want security in software? Don't patent/copyright any code. An entire work, sure, large sections of an entire work, possibly, but not styles/snippets/best practice kinds of thing. There's already precedent that AI output isn't copyrightable. Maybe the future is no copyrighted code. One can dream.

            --
            Joshua 1:9 "Be strong and of a good courage; be not afraid, neither be thou dismayed: for the Lord thy God is with thee"
  • (Score: 4, Insightful) by Runaway1956 on Friday March 17 2023, @12:26AM (6 children)

    by Runaway1956 (2926) Subscriber Badge on Friday March 17 2023, @12:26AM (#1296589) Journal

    establish baseline security requirements for businesses and tech companies and to fine those that don't comply.

    This should have happened around - ohhhhh - 1980, give or take five years?

    Seriously, every *nix in existence was built from the ground up with security in mind. Microsoft ignored all security, allowing third parties to bolt on after market blowers and turbos and chrome wheels and various other pieces of shit, all of which robbed power from the machine. If MS had been forced to take security seriously all those decades ago, the world would be quite different from what we know today.

    At the least, hackers would be better quality!

    • (Score: 5, Insightful) by Immerman on Friday March 17 2023, @02:12AM (5 children)

      by Immerman (3985) on Friday March 17 2023, @02:12AM (#1296605)

      It's not that they allowed it - *NIXes are even more permissive.

      It's that they didn't require permission from the user to do so. And more importantly, they made no attempt to make sure their own parts weren't more riddled with security holes than an ant colony in Swiss cheese.

      You can bolt all the aftermarket crap you want to onto your car - but the stock components better not be a safety concern. The aftermarket component makers will be liable for any safety issues they introduce. And the mechanic will be liable for any safety issues caused by incompetent installation.

      You are only liable if it's your own tweaks or irresponsible driving that caused the problem.

      • (Score: 0, Interesting) by Anonymous Coward on Friday March 17 2023, @02:43AM (4 children)

        by Anonymous Coward on Friday March 17 2023, @02:43AM (#1296610)

        http://www.windowsecurity.com/uplarticle/18/nt-vs-unix.pdf [windowsecurity.com]

        This paper demonstrates that the security mechanisms of Windows NT are slightly bet-
        ter
        than those of UNIX. Despite this fact the two systems display a similar set of vul-
        nerabilities. This implies that Windows NT has the theoretical capacity of being more
        secure than “standard” UNIX. However, with the present way of installing and using
        the systems there seems to be no significant difference between their security level. It
        is true that there are presently more intrusions in UNIX systems, but we believe that
        this is due to the aging factor, i.e. the statement above should hold when comparing the
        systems at the same state of development and market penetration
        . Thus, the only rea-
        son for more UNIX penetrations is that the system is older and more well-known and
        we should anticipate an increasing number of intrusions into Windows NT, a tendency
        that has already started.

        I think it still holds. They're still mostly about the same in terms of security/insecurity. The attackers target what's popular.

        Plenty of those wordpress etc hacks are on Linux systems. There are plenty of hackers finding and looking for Android exploits. Doubt most hackers would continue research exploits for "Windows Mobile" even though there are probably plenty.

        • (Score: 1, Redundant) by turgid on Friday March 17 2023, @10:24AM (2 children)

          by turgid (4318) Subscriber Badge on Friday March 17 2023, @10:24AM (#1296657) Journal

          From the fine paper, "Presented at the Third Nordic Workshop on Secure IT Systems, NORD-
          SEC’98, 5-6 November, 1998, Trondheim, Norway."

          A lot has happened since 1998. Also, remember that the Windows (NT) kernel and the entire Windows OS (kernel, userland, browsers, telemetry etc.) need to be considered. The Windows NT kernel, the foundation of modern Windows, was quite a good design at the time. It's what's on top that stinks more.

          • (Score: 1) by Woodherd on Friday March 17 2023, @11:26AM (1 child)

            by Woodherd (25391) on Friday March 17 2023, @11:26AM (#1296663)

            A lot has happened since 1998.

            It is never too late to build security into your operating system, or to try to post hoc build some semblance of security in what you are selling as a toy operation system for toy Personal Computers, that will never be networked. I suspect the motivations of the grandparent post.

        • (Score: 3, Interesting) by Anonymous Coward on Friday March 17 2023, @12:52PM

          by Anonymous Coward on Friday March 17 2023, @12:52PM (#1296672)

          I think it still holds.

          Uh huh. All the theory and academic bullshit in the world can't match reality.

          If you need something to route packets for your network and your choices are...oh....Microsoft Windows Server 2022 and FreeBSD 13.1....which one would you pick to keep things secure?

          If you need to accept mail into your network....are you going to run Microsoft Windows Server 2022 with IIS and Microsoft Exchange and Outlook Web Access with PowerShell and...you know...the XBox Live Toolbar that for some reason is installed by default on all their operating systems now? Or are you going to be more secure with...Linux or a BSD running something like Postfix and Dovecot with SSH running?

          I can tell you that during the lifecycle of Exchange 2012, our mail server was compromised 8 separate times. With only SMTP, POP3, IMAP, and good AV client and the rest of the brain-damaged Exchange/Outlook bullshit installed.

          We finally got the corporate OK to axe Microsoft bullshit and installed Postfix, Dovecot, and Roundcube. We've been running it for almost as long as we ran Exchange 2012....zero breaches.

          I mean...I'll admit that Windows could totally be more secure...just not by default....and not in an environment where every goddamned person thinks they're an IT guy because they can do google-and-point-and-click admin with zero knowledge how the technologies work.

          Oh, and it also doesn't work in an environment where businesses are concerned about money. "We need to upgrade to a newer version of Exchange. It'll cost fleventy billion dollars because we need to buy new hardware, new copies of Windows Server, new copies of Outlook, new permission slips called CALs to allow them to all talk and we need to train our IT point-and-click-bros how to use it, and we need support agreements....and....". Or you just get one slightly more expensive person to install software that's "free forever" with no licensing costs...

  • (Score: 2, Disagree) by krishnoid on Friday March 17 2023, @01:58AM (2 children)

    by krishnoid (1156) on Friday March 17 2023, @01:58AM (#1296603)

    For the Ford Pinto [youtu.be] issue. It was also the issue that put Ralph Nader on the map.

    • (Score: 2, Informative) by Anonymous Coward on Friday March 17 2023, @03:09AM (1 child)

      by Anonymous Coward on Friday March 17 2023, @03:09AM (#1296617)

      > the issue that put Ralph Nader on the map

      ...was the Corvair, in one chapter of his first book, "Unsafe At Any Speed". https://en.wikipedia.org/wiki/Ralph_Nader_bibliography [wikipedia.org] Long before the Pinto existed.

      • (Score: 2) by ChrisMaple on Saturday March 18 2023, @06:11AM

        by ChrisMaple (6964) on Saturday March 18 2023, @06:11AM (#1296824)

        It's worth noting that "Unsafe At Any Speed" was an emotionally biassed hit piece. Nader avoided mentioning several aspects of the Corvair: The car's design had been changed by the time the book was published. The Corvair's notorious terminal oversteer, caused by its swing-axle rear suspension, was largely compensated for by using higher pressure in the rear tires (as specified in the owner's manual, which drivers routinely ignored.) The car had safety features that Nader hid, such as excellent visual field for the driver.

  • (Score: 4, Informative) by canopic jug on Friday March 17 2023, @03:57AM (4 children)

    by canopic jug (3949) Subscriber Badge on Friday March 17 2023, @03:57AM (#1296624) Journal

    Kemba Walden [whitehouse.gov], the acting national cyber director, is a microserf and working to further m$ political reach in the government. Rather than sitting in jail, her group's failure has been rewarded by appointing her to a policy position. Keep in mind that it may seem like m$ and its minions have almost more people in Washing DC now than in Washington state. That is why any legislation in the works is going to be bent both to their advantage as well as to the detriment of any competitors, if the FOSS community does not get in on this.

    First and foremost, above all else, m$ sees Free and Open Source Software and Open Standards, as a threat. This new strategy will be drafted to reflect that, if they are allowed to continue writing it. So even if the proposed, new National Cybersecurity Strategy does absolutely nothing else, it will come down to ban on using and developing of Free and Open Source Software in the US.

    The Fine Article does not link to the original source and it's author, Preston Gralla, appears to be your typical m$ shill, and thus the article lacks any substance. What is needed is the link to the actual draft of the policy so it can be determined where the gotchas are and what the microsofters are trying to fool the US into forming a policy around.

    Maybe Preston is referring in his article to DRAFT NSTAC REPORT TO THE PRESIDENT: Strategy for Increasing Trust in the Information and Communications Technology and Services Ecosystem [cisa.gov]?

    --
    Money is not free speech. Elections should not be auctions.
    • (Score: 5, Informative) by canopic jug on Friday March 17 2023, @04:22AM (3 children)

      by canopic jug (3949) Subscriber Badge on Friday March 17 2023, @04:22AM (#1296627) Journal

      As an addendum to the comment above, Appendix B: Membership and participants of the DRAFT NSTAC REPORT TO THE PRESIDENT: Strategy for Increasing Trust in the Information and Communications Technology and Services Ecosystem [cisa.gov] shows that the subcommittee leadership is classic fraud. All three leading the committee are active microsofters:

      • Mr. Scott Charney: Microsoft Corp. Subcommittee Chair
      • Mr. Kevin Reifsteck: Microsoft Corp. Working Group Co-Lead
      • Mr. Robert Spiger: Microsoft Corp. Working Group Co-Lead

      Aside from not having paid enough campaign donations to Biden back in 2015, why the fuck is no one from the FSF there even in the membership list as a committee participant?

      --
      Money is not free speech. Elections should not be auctions.
      • (Score: 3, Interesting) by turgid on Friday March 17 2023, @10:27AM (1 child)

        by turgid (4318) Subscriber Badge on Friday March 17 2023, @10:27AM (#1296658) Journal

        Are Microsoft looking for a government grant (a few hundred million bucks maybe) to "invest" in Windows security, for Truth, Justice and the American Way(TM)?

        • (Score: 4, Insightful) by Rich on Friday March 17 2023, @11:10AM

          by Rich (945) on Friday March 17 2023, @11:10AM (#1296661) Journal

          No. That would be just a single handout, which is not suitable for a post-scarcity software economy. They're likely after making a commercial "antivirus" subscription mandatory.

      • (Score: 0) by Anonymous Coward on Friday March 17 2023, @08:44PM

        by Anonymous Coward on Friday March 17 2023, @08:44PM (#1296744)

        Are you implying that MS is not acting on behalf of the Russians/Norks?

  • (Score: 1) by krokodilerian on Friday March 17 2023, @07:07AM (1 child)

    by krokodilerian (6979) on Friday March 17 2023, @07:07AM (#1296651)

    Having a baseline coming from the USG might be useful in other places, I think most of it will be common sense stuff, and will make it easier to get any company to have at least minimal level of security.

    I can't seem to find such a document, though, at least from the stuff linked above, does it exist? The actual "you need to have A, B, C"?

    • (Score: 0) by Anonymous Coward on Friday March 17 2023, @12:54PM

      by Anonymous Coward on Friday March 17 2023, @12:54PM (#1296673)

      There are various guides and recommendations from NIST and the NSA for how to harden existing systems. For instance, the NIST checklist [nist.gov]. And in the DoD you have STIGs [cyber.mil], which for certain operating systems admins can just download scripts or Windows group policies that automatically apply those settings. For the Government, at least, everything is complicated by the fact that you're talking about a HUGE organization and various parts do better than others in being up to date. Plus you can't apply one solution to everything. You can really lock down a computer for a user who really only needs to have email and Office and a few other things, but that won't work on anyone doing hardware and software development where they need local admin. Plus, as with any large organization, there is a certain amount of stovepiping that goes on where organizations address things on their own or have authority only over their parts. Organizations with generous budgets can stay up on replacing hardware and software and have IT departments, but other organizations who are grossly underfunded will still be running old computers and operating systems and their IT is handled by Steve, who doesn't really want to take on those responsibilities, but he handles that stuff because he's known as the "computer guy" and understands that stuff because he likes linux.

  • (Score: 3, Insightful) by hendrikboom on Friday March 17 2023, @04:44PM

    by hendrikboom (1125) Subscriber Badge on Friday March 17 2023, @04:44PM (#1296703) Homepage Journal

    The big question is whether the safety rules are going to require things like locked bootloaders on every computer.

  • (Score: 1, Troll) by DadaDoofy on Friday March 17 2023, @05:53PM (1 child)

    by DadaDoofy (23827) on Friday March 17 2023, @05:53PM (#1296720)

    You can count on the executive order. If there is one thing Biden's excel at, it's the shakedown.

    • (Score: 2) by ChrisMaple on Saturday March 18 2023, @06:16AM

      by ChrisMaple (6964) on Saturday March 18 2023, @06:16AM (#1296825)

      And you can be sure that there is no Constitutional support for any executive order that Biden signs. This should be entirely a legislative issue.

(1)