What A Sarbanes-Oxley For Computer Security Might Look Like
from the bad-ideas dept
One problem with all of the constant talk about data breaches, phishing and identity theft is that it definitely has the potential to induce some shortsighted legislation in hopes that it will make the problem go away. Some have even said that nothing will happen on the legislative front until we see some sort of "digital Enron" that forces politicians into action. Of course, the actual Enron resulted in the
much-lamented Sarbanes-Oxley, which stands as evidence that sweeping laws shouldn't be made in haste, during times of crisis. It's not clear whether or not we've had our "digital Enron" yet , but already some pundits are putting forth their ideas for a digital Sarbanes-Oxley. Ira Winkler at Computerworld argues that Congress should mandate ISP liability for malicious traffic on their networks, something which we've argued many times is a bad idea, since it's an approach that goes after the wrong party. But this is just the beginning. In addition to placing liability on ISPs, he says that individual computer users should be held liable if they fail to keep their computer secure, and it becomes part of a botnet. It's really hard to know where to start with that idea, other than to say that it again goes after the wrong party, and it could really discourage the average person from ever wanting to go online. His final suggestion is that Congress pass a law that makes security software better. He doesn't really offer anything concrete on this point, which is not surprising, because it's really out of the realm of what Congress can do. Simply legislating that something be made better will only increase the costs of making it, and reduce its availability. Seeing as the government can't even pass effective laws against spam, anything that it does in the area of identity theft or computer security should be viewed suspiciously. Fortunately, this particular proposal seems so extreme, it's hard to imagine it going anywhere. It's also interesting to note that this is the second thing we've seen today from Computerworld that calls for more government involvement in tech issues. Sounds like they could use some more skepticism about the government's ability to solve these problems.