Stories
Slash Boxes
Comments

SoylentNews is people

SoylentNews is powered by your submissions, so send in your scoop. Only 19 submissions in the queue.
posted by janrinok on Thursday March 16 2023, @11:51PM   Printer-friendly

The US government looks poised to force tech companies to do more about security:

The US government, worried about the continuing growth of cybercrime, ransomware, and countries including Russia, Iran, and North Korea hacking into government and private networks, is in the middle of drastically changing its cybersecurity strategy. No longer will it rely largely on prodding businesses and tech companies to voluntarily take basic security measures such as patching vulnerable systems to keep them updated.

Instead, it now wants to establish baseline security requirements for businesses and tech companies and to fine those that don't comply.

It's not just companies that use the systems who might eventually need to abide by the regulations. Companies that make and sell them, such as Microsoft, Apple, and others could be held accountable as well. Early indications are that the feds already have Microsoft in their crosshairs — they've warned the company that, at the moment, it doesn't appear to be up to the task.

[...] In theory, if those standards aren't met, fines would eventually be imposed. Glenn S. Gerstell, former general counsel of the National Security Agency, explained it this way to the Times: "In the cyberworld, we're finally saying that Ford is responsible for Pintos that burst into flames, because they didn't spend money on safety." That's a reference to the Ford Pinto frequently bursting into flames when rear-ended in the 1970s. That led to a spate of lawsuits and a ramp-up in federal auto safety regulations.

But cybersecurity requirements backed by fines aren't here yet. Dig into the new document and you'll find that because the new strategy is only a policy document, it doesn't have the bite of law behind it. For it to go fully into effect, two things need to happen. President Biden has to issue an executive order to enforce some of the requirements. And Congress needs to pass laws for the rest.

It's not clear when lawmakers might get around to moving on the issue, if ever, although Biden could issue an executive order for parts of it.

[...] So, what does all this have to do with Microsoft? Plenty. The feds have made clear they believe Microsoft has a long way to go before it meets basic cybersecurity recommendations. At least one top government security official has already publicly called out Microsoft for poor security practices.

Cybersecurity and Infrastructure Security Agency Director Jen Easterly recently criticized the Microsoft during a speech at Carnegie Mellon University. She said that only about one-quarter of Microsoft enterprise customers use multifactor authentication, a number she called "disappointing." That might not sound like much of a condemnation, but remember, this is the federal government we're talking about. It parses its words very carefully. "Disappointing" to them is the equivalent of "terrible job" anywhere else.

[...] Even without laws and executive orders, the company could be in trouble. The US government spends billions of dollars on Microsoft systems and services every year, a revenue stream that could be endangered if Microsoft doesn't adhere to the standards.


Original Submission

 
This discussion was created by janrinok (52) for logged-in users only, but now has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 5, Insightful) by Immerman on Friday March 17 2023, @02:12AM (5 children)

    by Immerman (3985) on Friday March 17 2023, @02:12AM (#1296605)

    It's not that they allowed it - *NIXes are even more permissive.

    It's that they didn't require permission from the user to do so. And more importantly, they made no attempt to make sure their own parts weren't more riddled with security holes than an ant colony in Swiss cheese.

    You can bolt all the aftermarket crap you want to onto your car - but the stock components better not be a safety concern. The aftermarket component makers will be liable for any safety issues they introduce. And the mechanic will be liable for any safety issues caused by incompetent installation.

    You are only liable if it's your own tweaks or irresponsible driving that caused the problem.

    Starting Score:    1  point
    Moderation   +3  
       Insightful=3, Total=3
    Extra 'Insightful' Modifier   0  
    Karma-Bonus Modifier   +1  

    Total Score:   5  
  • (Score: 0, Interesting) by Anonymous Coward on Friday March 17 2023, @02:43AM (4 children)

    by Anonymous Coward on Friday March 17 2023, @02:43AM (#1296610)

    http://www.windowsecurity.com/uplarticle/18/nt-vs-unix.pdf [windowsecurity.com]

    This paper demonstrates that the security mechanisms of Windows NT are slightly bet-
    ter
    than those of UNIX. Despite this fact the two systems display a similar set of vul-
    nerabilities. This implies that Windows NT has the theoretical capacity of being more
    secure than “standard” UNIX. However, with the present way of installing and using
    the systems there seems to be no significant difference between their security level. It
    is true that there are presently more intrusions in UNIX systems, but we believe that
    this is due to the aging factor, i.e. the statement above should hold when comparing the
    systems at the same state of development and market penetration
    . Thus, the only rea-
    son for more UNIX penetrations is that the system is older and more well-known and
    we should anticipate an increasing number of intrusions into Windows NT, a tendency
    that has already started.

    I think it still holds. They're still mostly about the same in terms of security/insecurity. The attackers target what's popular.

    Plenty of those wordpress etc hacks are on Linux systems. There are plenty of hackers finding and looking for Android exploits. Doubt most hackers would continue research exploits for "Windows Mobile" even though there are probably plenty.

    • (Score: 1, Redundant) by turgid on Friday March 17 2023, @10:24AM (2 children)

      by turgid (4318) Subscriber Badge on Friday March 17 2023, @10:24AM (#1296657) Journal

      From the fine paper, "Presented at the Third Nordic Workshop on Secure IT Systems, NORD-
      SEC’98, 5-6 November, 1998, Trondheim, Norway."

      A lot has happened since 1998. Also, remember that the Windows (NT) kernel and the entire Windows OS (kernel, userland, browsers, telemetry etc.) need to be considered. The Windows NT kernel, the foundation of modern Windows, was quite a good design at the time. It's what's on top that stinks more.

      • (Score: 1) by Woodherd on Friday March 17 2023, @11:26AM (1 child)

        by Woodherd (25391) on Friday March 17 2023, @11:26AM (#1296663)

        A lot has happened since 1998.

        It is never too late to build security into your operating system, or to try to post hoc build some semblance of security in what you are selling as a toy operation system for toy Personal Computers, that will never be networked. I suspect the motivations of the grandparent post.

    • (Score: 3, Interesting) by Anonymous Coward on Friday March 17 2023, @12:52PM

      by Anonymous Coward on Friday March 17 2023, @12:52PM (#1296672)

      I think it still holds.

      Uh huh. All the theory and academic bullshit in the world can't match reality.

      If you need something to route packets for your network and your choices are...oh....Microsoft Windows Server 2022 and FreeBSD 13.1....which one would you pick to keep things secure?

      If you need to accept mail into your network....are you going to run Microsoft Windows Server 2022 with IIS and Microsoft Exchange and Outlook Web Access with PowerShell and...you know...the XBox Live Toolbar that for some reason is installed by default on all their operating systems now? Or are you going to be more secure with...Linux or a BSD running something like Postfix and Dovecot with SSH running?

      I can tell you that during the lifecycle of Exchange 2012, our mail server was compromised 8 separate times. With only SMTP, POP3, IMAP, and good AV client and the rest of the brain-damaged Exchange/Outlook bullshit installed.

      We finally got the corporate OK to axe Microsoft bullshit and installed Postfix, Dovecot, and Roundcube. We've been running it for almost as long as we ran Exchange 2012....zero breaches.

      I mean...I'll admit that Windows could totally be more secure...just not by default....and not in an environment where every goddamned person thinks they're an IT guy because they can do google-and-point-and-click admin with zero knowledge how the technologies work.

      Oh, and it also doesn't work in an environment where businesses are concerned about money. "We need to upgrade to a newer version of Exchange. It'll cost fleventy billion dollars because we need to buy new hardware, new copies of Windows Server, new copies of Outlook, new permission slips called CALs to allow them to all talk and we need to train our IT point-and-click-bros how to use it, and we need support agreements....and....". Or you just get one slightly more expensive person to install software that's "free forever" with no licensing costs...