[thoth]

Defense may be the only game worth playing, but how will that work? Unlike the real military where civilians simply don't own the hardware, in computer security they do.

NSA isn't a hardware or software vendor, and the corporations that are don't have much of a profit motive to heavily invest in security. They aren't actually liable for problems unlike say a car manufacturer that releases a faulty product, which leaves what exactly... reputation that takes a hit? But every vendor has bugs and security issues and the market isn't really punishing anyone.

Is the future effectively an enormous government subsidy to profitable corporations (i.e. NSA and other US government agencies basically become extensions of corporate America's QA department)? Is the future heavy regulations to create the proper financial incentives and/or penalties so corporations start seriously spending on security?

It's easy to say "the government should do something!!" but what exactly will that look like?

[Quarrelsome]

Regulate operating systems. Fund programs and research to work out how to create operating systems for our infrastructure that contain less zero days. Ensure we're the ones that find the zero days first.

The reason we're vulnerable is because we're unwilling to pay the cost of finding the exploits but people in developing nations ARE because they work for "less".

Right now our economies and systems reward those that fly by their pants and don't care for security. That is the problem. The free buffet of infinite growth from technology startups is the very thing that also gives us this pain and we need to learn to eat less.

[SCHiM]

I see that going wrong too. If operating systems need to be certified, where does that leave free open source projects?

[jessespears]

This would take an extraordinary departure from our current politics. Government intruding on software would (rightly) cause cries from the most stalwart Free Software advocates and from proprietary software companies.

Can you imagine the outcry if a new Linux fork had to seek government approval in order to post their distribution?

Can you expect Google or Oracle to fail to lobby the government to make sure they don't have to get each major revision certified?

[floatboth]

Not in order to post their distribution! Approval for usage in critical infrastructure.

Critical infrastructure, IMO, should:

- not use general purpose operating systems

- maybe not use general purpose computers (just build custom FPGA logic to control power grids and stuff)

- not use internet connected computers

- maybe not use computers at all when possible

[CWuestefeld]

Regulate operating systems.

When we're trying to protect ourselves from the vulnerabilities hoarded by our government, I think that asking them to regulate the OS might just be a step backward.

[andrewjl]

Regulation, especially for software powering critical systems. We'd have to have a good definition for what critical means, probably with different levels that escalate the security requirements.

[sqeaky]

Change the law and make them liable. This would let the market solve the problem, but there is no way microsoft, cisco and the like would go for it.