The US government looks poised to force tech companies to do more about security:
The US government, worried about the continuing growth of cybercrime, ransomware, and countries including Russia, Iran, and North Korea hacking into government and private networks, is in the middle of drastically changing its cybersecurity strategy. No longer will it rely largely on prodding businesses and tech companies to voluntarily take basic security measures such as patching vulnerable systems to keep them updated.
Instead, it now wants to establish baseline security requirements for businesses and tech companies and to fine those that don't comply.
It's not just companies that use the systems who might eventually need to abide by the regulations. Companies that make and sell them, such as Microsoft, Apple, and others could be held accountable as well. Early indications are that the feds already have Microsoft in their crosshairs — they've warned the company that, at the moment, it doesn't appear to be up to the task.
[...] In theory, if those standards aren't met, fines would eventually be imposed. Glenn S. Gerstell, former general counsel of the National Security Agency, explained it this way to the Times: "In the cyberworld, we're finally saying that Ford is responsible for Pintos that burst into flames, because they didn't spend money on safety." That's a reference to the Ford Pinto frequently bursting into flames when rear-ended in the 1970s. That led to a spate of lawsuits and a ramp-up in federal auto safety regulations.
But cybersecurity requirements backed by fines aren't here yet. Dig into the new document and you'll find that because the new strategy is only a policy document, it doesn't have the bite of law behind it. For it to go fully into effect, two things need to happen. President Biden has to issue an executive order to enforce some of the requirements. And Congress needs to pass laws for the rest.
It's not clear when lawmakers might get around to moving on the issue, if ever, although Biden could issue an executive order for parts of it.
[...] So, what does all this have to do with Microsoft? Plenty. The feds have made clear they believe Microsoft has a long way to go before it meets basic cybersecurity recommendations. At least one top government security official has already publicly called out Microsoft for poor security practices.
Cybersecurity and Infrastructure Security Agency Director Jen Easterly recently criticized the Microsoft during a speech at Carnegie Mellon University. She said that only about one-quarter of Microsoft enterprise customers use multifactor authentication, a number she called "disappointing." That might not sound like much of a condemnation, but remember, this is the federal government we're talking about. It parses its words very carefully. "Disappointing" to them is the equivalent of "terrible job" anywhere else.
[...] Even without laws and executive orders, the company could be in trouble. The US government spends billions of dollars on Microsoft systems and services every year, a revenue stream that could be endangered if Microsoft doesn't adhere to the standards.
(Score: 1) by krokodilerian on Friday March 17, @07:07AM (1 child)
Having a baseline coming from the USG might be useful in other places, I think most of it will be common sense stuff, and will make it easier to get any company to have at least minimal level of security.
I can't seem to find such a document, though, at least from the stuff linked above, does it exist? The actual "you need to have A, B, C"?
(Score: 0) by Anonymous Coward on Friday March 17, @12:54PM
There are various guides and recommendations from NIST and the NSA for how to harden existing systems. For instance, the NIST checklist [nist.gov]. And in the DoD you have STIGs [cyber.mil], which for certain operating systems admins can just download scripts or Windows group policies that automatically apply those settings. For the Government, at least, everything is complicated by the fact that you're talking about a HUGE organization and various parts do better than others in being up to date. Plus you can't apply one solution to everything. You can really lock down a computer for a user who really only needs to have email and Office and a few other things, but that won't work on anyone doing hardware and software development where they need local admin. Plus, as with any large organization, there is a certain amount of stovepiping that goes on where organizations address things on their own or have authority only over their parts. Organizations with generous budgets can stay up on replacing hardware and software and have IT departments, but other organizations who are grossly underfunded will still be running old computers and operating systems and their IT is handled by Steve, who doesn't really want to take on those responsibilities, but he handles that stuff because he's known as the "computer guy" and understands that stuff because he likes linux.