[yeukhon]

I feel like we need laws in place on software and hardware security. Laws to punish crimes is good, but we also need some regulation, simple ones, to govern how companies have the obligation to manage software and hardware security.

I think:

* companies running a website and collects customer data must have an incident response plan laid out.

If we punish bad service providers reported by consumers, why can't we do the same? We are talking about companies ignoring and downplaying even the most low-hanging fruit vulnerability, and companies that don't understand web security because the workers there have no clues what they are dealing. If we can't raise our cyber security awareness and education domestically, then we fail at being a top technology leader in this world. I don't expect every company hires a security engineer, perhaps under some managed services.

[cookiecaper]

This is a very dicey subject. I think it's best to keep it loose as long as possible. Introducing a regulatory body into any field is perilous, but something as fast moving as software and security would be frightening. What happens when the regulation is that you have to use the algorithm that was cracked last month? Eek.

Voluntary, socially-enforced customs are better. Things like the MPAA rating system have successfully staved off government intervention. Such standards are much more flexible.

We already have this de-facto via TLS and the browser's angry messages if you don't comply with their expectations, but it'd be interesting if browsers started running a more thorough security verification program and giving preferential treatment to sites that implemented it.

That is also scary because it centralizes more control in browser manufacturers (which, today, means Google almost as much as it meant Microsoft in the oughts). But still better than the government I guess, and blocking a site in software is much more motivating than the risk of a fine for non-compliance.