DOJ Says It's Time To Add Ransomware Attacks To The Ever Expanding 'War On Terror'

from the not-everything-needs-to-be-terrorism dept

High-profile ransomware attacks -- some the FBI have tentatively attributed to Russian hackers -- have provoked the kind of response none of us should be in any hurry to welcome. But it's been coming to this point for years.

Malicious hacking efforts -- some of them targeting government agencies -- have been normal for as long as we've had computers and networks. And it's something our own surveillance agencies engage in, whether to search for terrorists or to simply cripple foreign governments. Throughout it all, there's been a steady call by some legislators and officials to turn cyber wars into actual wars. Or, at the very least, allow US government agencies to engage in more offensive hacking efforts, rather than simply play defense.

War -- or anything a government can call a "war" -- is the one simple trick governments use to obtain more power for themselves at the expense of the rights of those they serve. That's why the War on Drugs and the War on Terror are more known for mass imprisonment and mass surveillance than any solid victories over the concepts and products the US has declared war against.

Ransomware is the next thing in line for the "war on" treatment. A DOJ internal memo first referenced by Reuters and shared (by the DOJ!) with Gizmodo is equating ransomware attacks with terrorism.

The U.S. Department of Justice plans to take a much harsher approach when pursuing cybercriminals involved in ransomware attacks—and will investigate them using strategies similar to those currently employed against foreign and domestic terrorists.

The new internal guidelines, previously reported by Reuters, were passed down to U.S. attorney’s offices throughout the country on Thursday, outlining a more coordinated approach to investigating attacks. The new guidance includes a stipulation that such investigations be “centrally coordinated” with the newly created task force on ransomware run by the Justice Department in Washington, DC.

This equation of ransomware with terrorism was made explicit by the acting deputy attorney general, who told Reuters this "model" has been used to handle terrorism investigations but not for malicious cyberattacks.

What this means is information will be shared with other agencies as well as oversight and legislators whenever investigators, analysts, and private sector requests for assistance involve ransomware or other online threats, like botnets and forums selling hacking tools and stolen credentials.

What this will mean in practice remains to be seen. The War on Terror hasn't exactly boosted anyone's confidence in the federal government's ability to respond effectively or appropriately to this omnipresent threat. It has saddled us with the TSA and dozens of useless "Fusion Centers." It has created an FBI cottage industry that allows informants to radicalize random citizens into 20-year prison sentences using tactics that often appear to cross the line into entrapment. It has expanded the buying power of the military and allowed local law enforcement to wield its hand-me-downs against American citizens. It has expanded the reach and grasp of multiple intelligence agencies -- some of which have had their own hacking tools leaked/purloined and wielded by the same state-sponsored hackers and cybercriminals these agencies were supposed to be taking down.

Without a doubt, ransomware is a threat to Americans. It has crippled major industry players, resulting in panic buying and price spikes following production dips and logistics nightmares. And it's only a matter of time before critical systems and agencies are held hostage at virtual gunpoint until ransoms are paid. But considering the underlying infrastructure that allows ransomware attacks to take place is also something millions of non-criminals around the world use regularly, allowing the government to treat the greatest communication tool ever invented as Terrorist HQ isn't likely to make it better or safer for anyone using it.

Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: criminals, doj, fbi, ransomware, war on terror


Reader Comments

Subscribe: RSS

View by: Time | Thread


  1. icon
    AC Unknown (profile), 11 Jun 2021 @ 1:57pm

    This idea is a VERY BAD thing

    Oh boy. This could lead to other nations declaring war on us if their systems get hit by ransomware that comes from our side.

    reply to this | link to this | view in thread ]

  2. icon
    sumgai (profile), 11 Jun 2021 @ 2:03pm

    If it's too sensitive/critical to allow even a momentary outage, why in the name of Gawd is it connected to the internet, public facing or otherwise??? Has everyone supposedly in charge forgotten the meaning of 'air gap'?

    I should think that The Forbin Project would be required lecture material in a good CS program, the thrust being the danger of interconnectivity just because it's possible, and not for any good reason.

    Ramifications, people, ramifications! Geez, Louise.

    reply to this | link to this | view in thread ]

  3. identicon
    Rocky, 11 Jun 2021 @ 3:59pm

    Where I work the guys running the IT security is a pain in the ass, but the flip side is that we never have had an intrusion. This is because "the powers to be" fairly early realized when we moved to an online presence that if we had an intrusion it would very very bad.

    Good security is a long term goal that needs constant work since the threats also change, but many companies live fiscal year by fiscal year where the shareholders demand a yearly return and the budget item named "security" seems like a superfluous cost "since we never had any problems".

    It's like arguing that using a seat-belt isn't necessary because you never been in an accident, but when you do end up in an accident, don't be surprised if you go head first through the windshield and with some luck only breaking your neck making you a paraplegic.

    The amount of stuff on the internet with abysmal or no security is mindboggling, and it's easy to find them by using one of the specialized search-engines that index these systems.

    The solution as I see it is, unless you have an adequate and up to date security to mitigate most threats you don't get insurance and are forbidden from doing any work for the government coupled with stiff fines for the CEO and the board if a break-in happens. Depending on the severity of the break-in and how it affects critical infrastructure the fines should scale up to jail-time. There needs to be some personal responsibility for those who run the company and repercussions if they shirk their duty, and doubly so if this happens to a government agency.

    reply to this | link to this | view in thread ]

  4. This comment has been flagged by the community. Click here to show it
    identicon
    Anonymous Coward, 11 Jun 2021 @ 4:07pm

    Translation: Hackers are about to be sent up the river for life, and are cutting deals to turn in the lawyers who hire them to defame people (see Rose McGowan's claims of being targeted in this manner backed by evidence).

    reply to this | link to this | view in thread ]

  5. identicon
    Anonymous Coward, 11 Jun 2021 @ 4:23pm

    What this will mean in practice remains to be seen. The War on Terror hasn't exactly boosted anyone's confidence in the federal government's ability to respond effectively or appropriately to this omnipresent threat.

    Well, that's because it's not really "omnipresent". Terrorism remains pretty rare. So, my prediction is that the FBI will be tricking dumbasses into downloading crimeware kits (that they would've never found on their own), then charging them with crimes. Cuz, y'know, the actual criminals are often in other countries, and that's kind of a pain in the ass with international police paperwork and all. Easier to catch domestic criminals, even if they don't strictly speaking exist.

    reply to this | link to this | view in thread ]

  6. identicon
    Rocky, 11 Jun 2021 @ 5:17pm

    Re:

    Just because you are drunk on cheap liquor and feeling lonely you don't have to come here and shit-post to get some validation for your inferiority complex.

    reply to this | link to this | view in thread ]

  7. identicon
    Glenn, 11 Jun 2021 @ 6:34pm

    Because just being a society-crippling crime isn't enough to get their notice.

    reply to this | link to this | view in thread ]

  8. identicon
    Anonymous Coward, 11 Jun 2021 @ 7:29pm

    What happened to all the "tiger teams" and the other blah blah blah from the early aughts?

    Honestly one can only hope this latest bullshit goes the same way.

    reply to this | link to this | view in thread ]

  9. identicon
    Anonymous Coward, 11 Jun 2021 @ 11:04pm

    Re: Re:

    You are talking to your mirror....

    reply to this | link to this | view in thread ]

  10. identicon
    Anonymous Coward, 11 Jun 2021 @ 11:06pm

    Re:

    For the same reasons respirators are connected to electricity.

    reply to this | link to this | view in thread ]

  11. icon
    PaulT (profile), 12 Jun 2021 @ 12:09am

    Re:

    "Where I work the guys running the IT security is a pain in the ass"

    Being a pain in the ass is a requirement for being effective in IT security, since you have to spend the majority of your work day either telling people not to do things they want to do, or placing blocks in front of the routes they want to take to make their own workflows easier. Then, the proof that you're doing your job correctly is that nothing happens to visibly justify what you're doing.

    I'm somewhat glad I didn't choose that particular career path, but it's often the same problem facing me in sys admin / devops work, except I don't have to get in the faces of users/developers to get things done. If I'm doing my job properly and we never have any downtime that affects production systems, people assume I don't do anything. If I'm ineffective and people see what I'm doing, we're losing money.

    So, in all these cases the beancounters in many types of company will restrict budgets, training, etc., to what they believe are superfluous roles, and gamble on the idea that the risks introduced are exaggerated by the poor souls trying to do their jobs. With things like ransomware, at least there's a chance of selling budgets to people who don't understand what you do.

    "The amount of stuff on the internet with abysmal or no security is mindboggling"

    But not surprising. Most college level courses, I believe, tend to either focus on the theory of computer science, or focus on the "getting things done" parts of coding. In my experience, most people simply haven't been trained to put security as a priority before they work in industry, and then once they're working there the pressure is always to put new features and revenue-generating improvements above security. Again, this is changing as security breaches make protection more of a priority, but there's so many production systems that have been set up on the fly by people who don't know or don't care about security best practices that it will take a long time to visible improve.

    "The solution as I see it is, unless you have an adequate and up to date security to mitigate most threats"

    The problem here is how you define these things. What does "adequate" mean? Sure, if you have "password" set as your password, you should be screwed, but what complexity is effective in terms of the law you want to write? How do you deal with zero day exploits, especially on complex legacy production systems where you have to full test any upgrade to ensure that things aren't broken? What about user rights - sure, there can be strict rules set down in larger organisations with dedicated security and admin teams, but what about smaller shops where people need more permissions than their job title usually suggests in order to support or deploy?

    There certainly needs to be some standards in place, especially to combat the sorts of companies where security is traditionally an afterthought. But, if you want to make it criminally prosecutable not to implement security to a certain standard, I think you have to be extraordinarily careful about what you write into the legal requirements and how.

    reply to this | link to this | view in thread ]

  12. identicon
    Anonymous Coward, 12 Jun 2021 @ 1:11am

    Lets be honest here......

    Personally I don't think the 2010 post and ESPECIALLY the comments aged very well....
    https://www.techdirt.com/articles/20111023/02413916479/non-existent-cyber-war-is-nothing-mo re-than-push-more-government-control.shtml
    But I'm a long time IT guy what do I know....

    reply to this | link to this | view in thread ]

  13. icon
    PaulT (profile), 12 Jun 2021 @ 2:26am

    Re: Lets be honest here......

    A lot happens in 10 years, but I'm wondering where you imagine the contradiction to be. Both articles seem to have the viewpoint that "cyber" attacks are being pushed as a reason to expand powers related to the endless "war on terror", in ways that suggest they're more about expanding government powers than actually doing anything to stem the real threat.

    Apart from the specific issue that we're now being pointed to occasional successful ransomware attacks rather than more nebulous "cyberattacks", I don't really see what's changed. Unless you mean to point specifically to those successful attacks, in which case I don't see how new government powers are going to help stop something that ultimately boils down to poor security practices among contractors and an increase in specific profit motive for outside actors.

    reply to this | link to this | view in thread ]

  14. identicon
    Anonymous Coward, 12 Jun 2021 @ 5:04am

    Re: Lets be honest here......

    Interesting. I hadn't realized that Mr. Cushing had essentially written the same post as this one before.

    reply to this | link to this | view in thread ]

  15. identicon
    Anonymous Coward, 12 Jun 2021 @ 6:03am

    nothing like a little EXTORTION!

    so.....government is asking fr permission to do what government already does? or are they asking to not hide in the shadows anymore and just come out and say "do as your told!" nevermind what the law says.

    reply to this | link to this | view in thread ]

  16. identicon
    sam, 12 Jun 2021 @ 6:08am

    LOL, america's "war on terror"

    This is probably the only "war" that has been widely mocked, cost taxpayers trillions, and has done NOTHING at all in terms of any actual trackable and measurable outcomes.

    Remember, in a war someone wins. In this "war" it's an excuse to militarize all the policing entities and spend billions on useless interdiction.

    reply to this | link to this | view in thread ]

  17. icon
    sumgai (profile), 12 Jun 2021 @ 8:35am

    Sorry, but where electricity runs the respirator, the internet does NOT run the computer. I deduce that you missed the whole point of 'air gap'. Try looking up "computer security", you might get a clue.

    reply to this | link to this | view in thread ]

  18. identicon
    Anonymous Coward, 12 Jun 2021 @ 11:26am

    Re: Re: Lets be honest here......

    Well, I guess I don't everything through a prism of government expansion although as a regular reader and relatively cleareyed citizen who was considered a paranoid back 30-40 yrs ago I do acknowledge the "scope creep" long in play.
    I am no fan of "wars on....X" that do nothing but feed the machine.
    I also do not like the vernacular of the politicians and such but as for the issue itself, I see it a little differently.
    The scourge of cyberattacks is certainly real. In the last ten years that "issue" is NOT occasional nor is it particularly nebulous. I'd imagine one would feel quite real terror and powerlessness if one were a patient in a hospital while that entity were being held for ransom. Our economy has very real vulnerabilities in the supply chains when this "issue" is in play. I personally rely on the meat food supply for more than just burgers, its where I obtain life-sustaining medicine. Disruption in just that tiny sliver of global commerce has very real effects on my ability to provide for my family. The Solarwinds "hack" is going to have multitudinous repercussions that I think you are vastly underestimating. And lets not overlook the privacy concerns of the near daily NOT occasional successful data leaks or attacks or whatever you want to call it.
    And sadly as a person on the inside this issue does NOT ultimately boil down to poor security practices although that is a huge issue and certainly not to be discounted. But there are PLENTY of companies that have HUGE budgets and large investments in people and software trying to fight the good fight here. However there are SO many holes and weak points and vulnerabilities that must be found, shored up, mitigated, and attended to. And yes all that can be undone by some dumbass that one has no control over.

    reply to this | link to this | view in thread ]

  19. icon
    PaulT (profile), 12 Jun 2021 @ 12:04pm

    Re: Re: Re: Lets be honest here......

    "Well, I guess I don't everything through a prism of government expansion"

    Yet, that's the focus of both articles you criticised.

    "In the last ten years that "issue" is NOT occasional nor is it particularly nebulous."

    Yet, the vast majority of attacks are from independent, non-state actors who take advantage of basic security problems. How is giving more unchecked power to state actors going to solve the problem?

    "The Solarwinds "hack" is going to have multitudinous repercussions"

    Yes, and the basic issue is private corporations not paying enough attention to security best practices. How is government going to solve that in a way that not either counter-productive or damaging in the long term?

    "And sadly as a person on the inside this issue does NOT ultimately boil down to poor security practices"

    Yet, every major example I can think of is down to exactly that.

    reply to this | link to this | view in thread ]

  20. icon
    ECA (profile), 12 Jun 2021 @ 12:09pm

    How about.

    WE Teach these folks HOW to program, to PROTECT themselves?

    That or
    WE change how the internet basically works.
    Where everything is trackible. Eveyr server something goes thru, has a Tag on it, of the server it went thru.
    Then we have a Note system on Every BOT inserted to our computers from EACH site we goto. Then if the system crashes we can look at the logs and find the Culprit and SUE the SITE that allowed it to happen. then the SITE can sue the 3rd party that did the work.

    reply to this | link to this | view in thread ]

  21. icon
    PaulT (profile), 12 Jun 2021 @ 12:11pm

    Re: Re: Lets be honest here......

    News isn't always news. If something was a problem a decade ago, but it's still a problem now with the parameters slightly changed, it's still newsworthy,

    reply to this | link to this | view in thread ]

  22. identicon
    Anonymous Coward, 12 Jun 2021 @ 12:34pm

    Re: Re: Re: Re: Lets be honest here......

    So you think organized criminal actors who by your opinion are non-state supported or affiliated or otherwise independent are somehow not a grave threat to commerce and the general well being of the citizenry?
    What unchecked powers are you referring to?
    I agree that the war on drugs is a profound mistake and grave error in governmental authority and has had a horrifying effect on citizens well beyond just the U.S.
    The war on terror is also an awful transgression on liberty and expansion of govt powers. No doubt.
    But as the author states, "What this will mean in practice remains to be seen."
    So far, having a DoJ take the threat seriously isn't a real problem for me.
    And I have little confidence in our "leaders" to do....well anything constructive.
    But there are state resources that can be brought to bear in this "issue" that can have a positive benefit and make progress in security our state infrastructure, our private commercial infrastructure and even personal use of IT assets.
    Taking the problem seriously is a good start. Sure this can go sideways real quick with the dysfunctional govt we have atm, and the way both people and institutions are operating from a f'd up set of priorities. But it doesn't HAVE to. Just as not all cops are criminals and not all sinners saints, not every form of govt resource needs to be deployed to screw us all. Just seems that way....

    reply to this | link to this | view in thread ]

  23. identicon
    Rocky, 12 Jun 2021 @ 3:43pm

    Re: Re:

    There certainly needs to be some standards in place, especially to combat the sorts of companies where security is traditionally an afterthought. But, if you want to make it criminally prosecutable not to implement security to a certain standard, I think you have to be extraordinarily careful about what you write into the legal requirements and how.

    Well, my thought was that we could borrow some concepts from HIPA and the safeguarding of patient information. The point is that this kind of regulation should be applied to everyone who runs what can be considered critical infrastructure or services. But as you say, the wording of such an act must be very carefully evaluated.

    My take on personal responsibility in this context is that a company paying a fine doesn't have the same oomph as a person being liable for paying it. And if it happens to be a government agency, any fine issued is just tax-money going from government account A to government account B with an extreme overhead in transaction costs compared to an officer paying it out of his own pocket.

    reply to this | link to this | view in thread ]

  24. identicon
    Pixelation, 12 Jun 2021 @ 4:21pm

    The US should declare war on war. Of course, that war would be lost as well.

    reply to this | link to this | view in thread ]

  25. identicon
    Anonymous Coward, 12 Jun 2021 @ 4:40pm

    Re: How about.

    sure, that's what China does and its clear to see that works great for them... right ?

    reply to this | link to this | view in thread ]

  26. icon
    Tanner Andrews (profile), 13 Jun 2021 @ 9:45am

    Re: Re: Re: Re: Re: Lets be honest here......

    So far, having a DoJ take the threat seriously isn't a real problem for me.

    Then you may not have been paying attention. When DOJ takes this threat seriously, you get enforcement of CFAA, meaning that screen scrapers and givers of false names and disposable mailboxes are suddenly felons.

    reply to this | link to this | view in thread ]

  27. icon
    Lostinlodos (profile), 13 Jun 2021 @ 8:22pm

    Maybe the government needs to step back for a moment and say “how does this happen”.

    Because the vast majority of cyber attacks boil down to
    Leaving the damn door open
    Or
    Handing over the keys.

    Seriously, are they failing penetration basics or are they handing over password?!!?

    reply to this | link to this | view in thread ]

  28. icon
    Scary Devil Monastery (profile), 14 Jun 2021 @ 1:14am

    Re: This idea is a VERY BAD thing

    "This could lead to other nations declaring war on us if their systems get hit by ransomware that comes from our side."

    It does provide a casus belli to everyone, anywhere.

    Imagine the indonesian cracker acting on behalf of a russian agency, using a botnet primarily based in europe, hitting a target within the US over a guatemalan proxy.

    Do they get to assume every part of the chain a hostile power and plan retaliation/investigation?

    reply to this | link to this | view in thread ]

  29. icon
    Scary Devil Monastery (profile), 14 Jun 2021 @ 1:51am

    Re:

    One issue is that air-gapping a sensitive network is something too rarely done properly. Worst comes to worst the next patch may contain the trojan or another ProjectSauron be inserted via human resources.

    And some networks simply can't be isolated well because of their function. Banking, the health care sector...any major enterprise or industry segment is vulnerable, because when it comes to security out of good, cheap or convenient, you only get to choose, at most, two.

    reply to this | link to this | view in thread ]

  30. icon
    Scary Devil Monastery (profile), 14 Jun 2021 @ 2:25am

    Re: Re:

    "...you have to spend the majority of your work day either telling people not to do things they want to do, or placing blocks in front of the routes they want to take to make their own workflows easier. Then, the proof that you're doing your job correctly is that nothing happens to visibly justify what you're doing."

    One of the reasons sysadmin and security work ends up turning pimply-faced youths into bastard operators is always going to be dilbertesque pointy-haired bosses and cow-orkers looking for shortcuts around inconvenient and time-consuming security.

    "With things like ransomware, at least there's a chance of selling budgets to people who don't understand what you do."

    I have the good fortune, myself, to working with a company which accepts risk/threat assessments made by experts. But as everyone who's dipped their toes in that business knows, it's an exception that a company manages to retain good operational security.

    "The problem here is how you define these things. What does "adequate" mean?"

    That always depends on the perceived value a potential intruder assigns to your network. A high-profile Big Bounty, like the NSA's exterior shell, will be under constant attack by everyone - from foreign intel to thrill-seeking scalp hunters. Some anonymous major company will mainly deal with script kids lighting their firewalls up.

    For a private citizen "adequate" is usually a well-maintained firewall and AV. It blocks the random probes tossed out at random targets and leave crackers picking the low-hanging fruit of clueless computer owners.

    For a high-payoff target "adequate" means round-the-clock real-time supervision with a dedicated team of security professionals vetting the inbound traffic and normal operations.

    Most high-payoff targets have better security by far than private citizens but that still leaves them very short of "adequate" protection.

    "But, if you want to make it criminally prosecutable not to implement security to a certain standard, I think you have to be extraordinarily careful about what you write into the legal requirements and how."

    Considering that the bar to be set will also vary greatly depending on how attractive a given target is, I'd say "careful" isn't enough. That legislation would have to cover some very specific details and you might have to build a whole new set of ISO standards around it.

    reply to this | link to this | view in thread ]

  31. icon
    Scary Devil Monastery (profile), 14 Jun 2021 @ 2:32am

    Re:

    "Translation: Hackers are about to be sent up the river for life..."

    You always keep doing this, Baghdad Bob. Someone posts about new legislation to deal with an old problem and you instantly show up to proclaim that what is essentially political posturing is instead the magical solution to cure all ills.

    I guess the reason snake oil salesmen are still around is because there's always that one village idiot who can't be helped and keeps handing his faith money to the grifters while wiser people just shake their heads sadly.

    reply to this | link to this | view in thread ]

  32. icon
    Scary Devil Monastery (profile), 14 Jun 2021 @ 2:42am

    Re: Re: Re: Re: Re: Lets be honest here......

    "But there are state resources that can be brought to bear in this "issue" that can have a positive benefit and make progress in security our state infrastructure, our private commercial infrastructure and even personal use of IT assets. "

    There really aren't, because "This is the way you MUST lock your door" has never panned out well.

    On the contrary I can point out that when the state decides to build a standard solution for what "security" must look like you aren't helping citizens against criminals. You are building parts of a skeleton key criminals will use against every citizen.

    "So far, having a DoJ take the threat seriously isn't a real problem for me. "

    Really? Name one single thing the DoJ has done in a great many years which wasn't 100% a political hack job without any beneficial - or even non-harmful - effect on citizen security? The DoJ of today is about as reliable as their old soviet counterpart.

    "Just as not all cops are criminals and not all sinners saints, not every form of govt resource needs to be deployed to screw us all."

    Here's the problem; It only takes one. One piece of bad legislation. One corrupt legislator pushing a bad agenda with the DoJ. One Bad Cop. And legislation meant to determine or shape what security must look like? Is as insane as mandating that all doors must have a specific type of lock; within the week every burglar will have a small keyring enabling them to unlock every door in the country.

    If I were you I'd be looking at this as the next lever the DoJ tries to use to backdoor existing private security.

    reply to this | link to this | view in thread ]

  33. icon
    Scary Devil Monastery (profile), 14 Jun 2021 @ 2:45am

    Re: LOL, america's "war on terror"

    "This is probably the only "war" that has been widely mocked, cost taxpayers trillions, and has done NOTHING at all in terms of any actual trackable and measurable outcomes."

    Not to mention has empowered the actual enemies.

    The Saudis must have been laughing for a long time now. They're still both the wallet and the motivator for islamic fundamentalist extremists in the middle east yet have remained utterly untouchable by every administration to take the white house yet...

    reply to this | link to this | view in thread ]

  34. icon
    PaulT (profile), 14 Jun 2021 @ 4:27am

    Re: Re: Re: Re: Re: Re: Lets be honest here......

    "You are building parts of a skeleton key criminals will use against every citizen."

    This is one of the problems for me. It's possible to write the legislation in a way that's essentially meaningless because people can implement shoddy security that still passes vague rules. It's also possible to write it in ways that make certain types of security mandatory even after technology has improved and provided a better solution. That can provide guaranteed routes to access for criminals who have worked out ways to bypass the mandated security, and also risks forcing companies to shell out large amounts of money for "security" that's unnecessary or ineffective.

    There's a good discussion to have about what the mandated rules would be, but I can imagine it going very wrong - as most attempts by government to directly control industry practices often do.

    "If I were you I'd be looking at this as the next lever the DoJ tries to use to backdoor existing private security."

    Exactly. Bear in mind that the people charged with setting the rules would be the same people who think that it's possible to build a backdoor into encryption that nobody but the "good guys" will be able to access, or that changing a character in a URL is criminal activity that requires jail time. It would be hard enough to get a truly adequate and workable set of rules if all parties are working honestly toward a common goal. Throw in reality of how these bills are written and debated, and there's a lot of room for major problems.

    reply to this | link to this | view in thread ]

  35. icon
    PaulT (profile), 14 Jun 2021 @ 4:37am

    Re: Re: Re:

    "Most high-payoff targets have better security by far than private citizens but that still leaves them very short of "adequate" protection."

    Yes, so it needs to be agreed what "adequate" actually means, especially if it's going to encompass every type and size of company. A small startup with a couple of developers needs different working practices that a corporation with thousands of users, and it literally cannot be a one size fits all approach.

    You'd also have to allow within that how requirements change as a company grows or pivots - the small dev team will need to implement different practices as they grow, but when and how will they be tested on this? What about when the company has to shrink, or completely change their company culture? Would they suddenly face a complete set of rules to be judged against if, for example, they suddenly have to move from 100% on premises staff to majority remote workers, as so many had to recently?

    "That legislation would have to cover some very specific details and you might have to build a whole new set of ISO standards around it."

    Really, the only way in which it can be remotely effective in the long term is to have a professional body that create and adjusts the standards as required, but I'd be uncomfortable giving those legal power over an individual with regard to criminal prosecution.

    reply to this | link to this | view in thread ]

  36. icon
    PaulT (profile), 14 Jun 2021 @ 4:39am

    Re: Re:

    "You always keep doing this, Baghdad Bob"

    It is amusing, if only because whenever he tries doing something like providing a "translation", he's usually just telling everyone how little he understood about the article, even assuming he read the whole thing (unlikely...). The fact that he also attempts to shoehorn a different issue which he also doesn't understand is just the icing on the cake.

    "I guess the reason snake oil salesmen are still around is because there's always that one village idiot"

    Oh, how great would it be if there were only one idiot in each village...

    reply to this | link to this | view in thread ]

  37. icon
    Scary Devil Monastery (profile), 14 Jun 2021 @ 7:14am

    Re: Re: Re: Re:

    "Would they suddenly face a complete set of rules to be judged against if, for example, they suddenly have to move from 100% on premises staff to majority remote workers, as so many had to recently?"

    Well, if nothing else this shit would seriously prevent shareholders from "reorganizing" the company too much every three years. If you needed a full security audit performed by IT experts to vet every new process in place to ensure it doesn't compromise security...to say nothing of the hassle if you need to change your business model. If we wanted to turn the entire private sector into a tribe of giants on clay feet, this is a good start...

    "...but I'd be uncomfortable giving those legal power over an individual with regard to criminal prosecution."

    Well, since we know ignorance is no excuse under the law at least we can, uh, look forward to quite a few PHB's ending up with their necks on the block if the DoJ have their way.
    While we're at it we might as well rename the DoJ to the "ministry of Love" or something similar. It's all for our sake, after all.

    reply to this | link to this | view in thread ]

  38. icon
    Scary Devil Monastery (profile), 14 Jun 2021 @ 7:20am

    Re: Re: Re:

    "Oh, how great would it be if there were only one idiot in each village..."

    Unfortunately idiocy appears to scale. At least in smaller communities people who are challenged in the thinking department often realized this. Today they end up in echo chambers with like-minded idiots and fester.

    "Thomas Twp Too : This is my brother, Thomas Twp, and I am Thomas Twp Too."
    "Thomas Twp : We've no learning, and most people say we're twp. But we're not so twp as to not know that we're twp."

    • The englishman who went up a hill and walked down a mountain.

    [twp; welsh for "daft", "foolish", or "slow-witted"]

    reply to this | link to this | view in thread ]

  39. icon
    Scary Devil Monastery (profile), 14 Jun 2021 @ 7:24am

    Re: Re: Re: Re: Re: Re: Re: Lets be honest here......

    "Throw in reality of how these bills are written and debated, and there's a lot of room for major problems."

    Call me naíve but I still find it outrageous that the best portrayal of how politics happen is still that old show Yes, Prime Minister from the 80's...

    reply to this | link to this | view in thread ]

  40. icon
    PaulT (profile), 14 Jun 2021 @ 7:49am

    Re: Re: Re: Re: Re:

    "Well, if nothing else this shit would seriously prevent shareholders from "reorganizing" the company too much every three years."

    Which is great for certain types of company and operations. But, it could be disastrous for others. I've personally worked for companies of all sizes, but the two main startups I've worked for had to go through complete pivots and/or reorganisations during my time there.

    One company realised that their core product wasn't working as well as it could be and ditched the US arm due to problems getting around legislation there (it was gambling associated), so went quickly from a 30 person operation with 4 offices in San Francisco, London and Gibraltar to around 12 people in 2 offices in the latter places. I can imagine that badly-worded legislation in any of those places could have killed the company dead - especially if it were written to try and stop companies from just offshoring to avoid having to comply. 10 years later, that company is a publicly traded going concern. The other startup had to completely reorganise across 3 countries at the start of the pandemic, and being closely tied to physical retail it would also have been destroyed by laws preventing them from doing so.

    This is why it's important to get these types of legislation absolutely correct before you start threatening people with jail time. Interfering with companies you despise will quite quickly destroy the ones you don't if you're not careful.

    "Well, since we know ignorance is no excuse under the law"

    I'm not describing ignorance, wilful or otherwise. I'm describing people making mistakes within the confines of their daily workload in companies that are too small to require other IT staff to complement the senior devs. The specific example I had in mind was the only time I've ever seen ransomware in the flesh, where a dev learning how to use ELK for the first time (nobody else in the company having used it) messed up a firewall rule when deploying to production and the data got breached.

    There was no harm in that specific case (the company didn't deal with sensitive customer data and the stack was new enough that we could afford to just nuke it), but there's no way that threatening the CEO with jail time could have changed the situation, and the only logical prevention that could be done would be to implement extremely out of proportion change control procedures that would naturally cripple a team of 3 devs.

    Again, what's suggested might be fine for a large company where the PHB ignores requests for adequate security to improve margins, but if the laws are written in ways that don't distinguish between those and human error made in a startup environment, those aren't necessarily the people who end up with the severe punishments.

    reply to this | link to this | view in thread ]

  41. icon
    PaulT (profile), 14 Jun 2021 @ 8:01am

    Re: Re: Re: Re: Re: Re: Re: Re: Lets be honest here......

    Being from the UK, there have been many prime examples - House Of Cards, The New Statesman, The Thick Of It, and so on. Most of them feel pretty accurate, although usually played for various degrees comedy and none of it's particularly flattering.

    It's also worth remembering - the original series was Yes, Minister. YPM was the sequel series after winning an election with the tactics displayed...

    reply to this | link to this | view in thread ]

  42. identicon
    Rocky, 14 Jun 2021 @ 8:27am

    Re: Re: Re: Re: Re: Re:

    This is why it's important to get these types of legislation absolutely correct before you start threatening people with jail time. Interfering with companies you despise will quite quickly destroy the ones you don't if you're not careful.

    Which is why any legislation must be flexible. If your company runs critical infrastructure for example, then you must have reasonable security that can deal with the most common threats too.

    Ie the legislation must take into consideration what impact a ransomware attack or a data leak has, and that can for example be judged by a set of rules that says that to protect this kind of data or infrastructure you must guarantee that your security solution adheres to these criteria. Specifying how to implement such security only means it's out of date as soon as it is set on paper.

    And if your company ignore these rules and get pwned, a court needs to determine the level of negligence and issue fines or any other punishment deemed necessary in relation to the negligence, which is scaled with the importance of the systems or information impacted.

    There's also a tie-in here to consumer products which usually have non-existent or abysmal security which allows them to be taken over easily. Just banning the sale of any product that doesn't require a password change during initial setup would mitigate the size of some of the bot-nets around for example.

    In a society that's becoming more and more dependent on IT-systems working, we need to make sure that those that are playing fast and loose with IT-security that impact peoples lives are punished.

    reply to this | link to this | view in thread ]

  43. icon
    Scary Devil Monastery (profile), 15 Jun 2021 @ 1:35am

    Re: Re: Re: Re: Re: Re: Re:

    *"Which is why any legislation must be flexible. If your company runs critical infrastructure for example, then you must have reasonable security that can deal with the most common threats too."

    Well, yeah, but as stated by both me and PaulIT above, how do you define "reasonable"?

    If a student parks his old bike somewhere a simple chain lock might be sufficient security because that bike isn't really worth the hassle for a thief. But for a company the risk/threat assessment radically shifts not just based on how critical their system is, but how desirable a target it is.

    The water mains won't be targeted by anything other than a script kid and a few spooks from abroad eager to figure out how it works and how hard it is.
    The game developers sitting on ten million credit card numbers and user accounts, otoh, will be getting under persistent attack 24/7.

    So to define "reasonable" the company would have to be thoroughly audited by an expert team making an assessment not just on how vulnerable the network is but also the possible ramifications of a breach and an evaluation on how desirable it is to breach the network. That's, so far, a minimum of three expert fields you need to cover at a whopping expense.

    Yeah, you can make a law about this but it's going to be the equivalence of a law saying that you are only allowed to own a car if every time you fill up the gas or change the oil that car is vetted by three high-paid experts who are likely to bill you as much as the car cost when new, every time they run the audit.

    "...the legislation must take into consideration what impact a ransomware attack or a data leak has, and that can for example be judged by a set of rules that says that to protect this kind of data or infrastructure you must guarantee that your security solution adheres to these criteria."

    And in practice that sort of information isn't going to be available;

    • Every time the company gains stock market value - audit.
    • Every time the company reorganizes - audit.
    • Every time the business model is changed - audit.
    • New owner? - audit.
    • New customer? - audit.
    • New innovation or patent? - audit.

    And bear in mind this won't be an audit which we're normally used to seeing - the kind where three gents from an independent auditing company show up and eat a few hundred hours of work time from the company as a whole just to present the normal three-year evaluation on fiscal responsibility. This will be the "dawn raid" version where a horde of highly paid experts in their respective fields take the company apart and reassemble it while trying to figure out every minute detail and the ramifications they have.

    "In a society that's becoming more and more dependent on IT-systems working, we need to make sure that those that are playing fast and loose with IT-security that impact peoples lives are punished."

    Well, yeah, but there are limits. The average apartment door can always be breached by two people with a crowbar or someone with a battering ram. Normal citizens can't afford a vault door right out of the Fallout series.
    Similarly no normal company can afford the operational security or the processes around such security afforded by the NSA.

    When it comes to security there's a golden rule; You can have any two options of cheap, convenient, or secure in a well-built security solution. Never more.

    Private enterprise will always opt for "cheap" and are often forced to also opt for "convenient" because they can't teach every employee to become an expert.

    reply to this | link to this | view in thread ]

  44. icon
    Scary Devil Monastery (profile), 17 Jun 2021 @ 6:20am

    Re: Re: Re: Re: Re: Re: Re: Re: Re: Lets be honest here......

    "It's also worth remembering - the original series was Yes, Minister. YPM was the sequel series after winning an election with the tactics displayed..."

    Both those series were sheer genius. And it turned out that the scriptwriters had actually pumped genuine senior civil servants for scenarios those old gents had actually witnessed for real.

    Satire too often turns out to be reality, I think.

    reply to this | link to this | view in thread ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Make this the First Word or Last Word. No thanks. (get credits or sign in to see balance)    
  • Remember name/email/url (set a cookie)

Close

Add A Reply

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Make this the First Word or Last Word. No thanks. (get credits or sign in to see balance)    
  • Remember name/email/url (set a cookie)

Follow Techdirt
Sponsored Promotion
Public Money, Public Code - Sign The Open Letter at publiccode.eu
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.