[GreenToad5]

Government regulation? They can't keep themselves secure. There was just a post here a couple of days ago saying how vulnerable the DOD's systems are. How are they going to police others when they can't police themselves?

I work in the banking industry where security IS regulated (by the FDIC). We have government auditors come and review our technology once a year. These guys don't know what the hell they are doing. We have had blatant security problems (now addressed) that they couldn't see right in front of their nose. Community banks have terrible security. Larger ones are better, but still rife with problems.

I fail to see how government regulation and intervention has helped in my industry, or how it would help in any. If by regulations, you mean that we would get fined if some data got compromised, that already happens through negligence lawsuits. It is not an effective motivator though.

In my experience, the threat/worry of bad publicity is actually the best motivator in a company getting their security up to par.

[hrktb]

> Government regulation? They can't keep themselves secure

Wouldn't this be akin to say "Criminal laws ? the cops can't even police themselves!". It can be true, and you'd still need a framework to define the wanted behaviour anyway. Enforcing the standard is a important and separate issue.

[leetcrew]

> Wouldn't this be akin to say "Criminal laws ? the cops can't even police themselves!"

yes it is. not too long ago there was a major issue with undercover cops in baltimore committing many of the serious crimes that they were supposed to be policing! [0] the commissioner (rightly imo) suspended undercover enforcement indefinitely.

[0] https://www.washingtonpost.com/local/public-safety/plainclot...

[ganzuul]

Criminal laws exist though, so you miss the mark in your objection.

[kartan]

> In my experience, the threat/worry of bad publicity is actually the best motivator in a company getting their security up to par.

If that were just true Facebook will not exist.

> I work in the banking industry where security IS regulated. We have auditors come and review our technology once a year. These guys don't know what the hell they are doing.

Regulations do not make problems disappear but make the situation better. If you vote for politicians that want to improve it, instead of politicians that are paid by lobbyists to free companies of their responsibilities.

[roms]

> Regulations do not make problems disappear but make the situation better.

I also work in banking (major financial hub in Europe). Regulation is the bane of security and data management because it adds several layers of complexity on top of already complex processes. It leads to people performing repetitive tasks to comply with regulation, leaving no time for in-depth analyses, process reviews and enhancements, and the clean-up of sensitive data.

You provide a baseless assertion shoehorned with a comparison to lobbyists nobody ever brought up. I can't prove a negative but you sure didn't prove your positive.

[chazhaz]

A big problem is that regulation tends to be pretty porous. Rather than curbing bad behaviour, it just adds, as you say, several layers of complexity on top of the bad behaviour. And the task of handling that extra complexity ends up on the desks of the working grunts keeping the system churning.

Like with GDPR, the regulation was to give people control of their data and make privacy by default an available option. But it's just given users more hoops to jump through before scooping up a user's data anyway.

Regulations tend to be a bit of a nudge in the right direction, but play out as something systems have to work against to keep things running the way they were before.

[candiodari]

A second huge problem is that governments ... don't know how to do security. So they just mandate some random measures.

And then the problem is that people follow their measures ... and see this as absolving them of further responsibility. In many cases in the financial world that isn't just laziness: that's actually how the law works.

So much of the regulation burden doesn't just force the whole market into large companies, it actually opens up and legally mandates not security, but security holes.

[lambdadmitry]

Can you please provide a single case of high profile security breach that was caused solely by regulation? That must be easy if what you say about regulation opening holes is true.

[CaptainZapp]

The point is not that regulations make the situation better for banks, but for the general public.

I'm also working for a big European financial institution and are directly involved with reporting to the various financial authorities. Granted, this is complex and the worst is that there's very little tolerance for mistakes (each non-reported trade, which is supposed to be reported costs a bank thousands in fines)

But you know what? After all that shit that our employers pulled against society at large in 2007 / 2008 I totally support those requirements.

Yeah, self regulation of the financial industry! What could ever go wrong with that?

edit : Added timeline

[rossng]

My suggestion would just be to significantly ramp up the fines. No need to bother with pointless tickbox compliance audits and all that other stuff. Obviously you would also have to have some pretty strong rules around covering up security breaches - I would suggest explicitly making it a serious criminal offence.

Hopefully the GDPR will have a positive effect here. If you suffer a security breach, you can expect to face severe financial penalties. I'm sure companies will figure out how to secure themselves surprisingly quickly after they see a few of their competitors get fined several hundred million euros.

[candiodari]

IF we apply the same to political organisations leakage, then ok.

Keep in mind that Congress, EU parliament, EU commission and I'm sure many others were all hacked in the past 2 years. Needless to say, they all see themselves as above this whole regulation thing.

And of course, those penalties cannot come from the tax coffers. They need to be leveled against the pay of the politicians, because otherwise how could they ever work ?

The EU parliament's websites are currently clearly in breach of the GPDR as well. Let's start there, shall we ?

As long as this is their attitude, I feel like this is not an acceptable solution.

[sievebrain]

You are correct sir, however the EU commission believes it doesn't actually have to follow the gdpr at all! They were called out on their non compliant website shortly after the law activated and announced that for "legal reasons" they didn't have to follow it.

[branksy]

> They can't keep themselves secure... they can't police themselves?

What does that have to do with it? Better laws on security will force the government to police itself better too.

Simple example: a law requiring all passwords to be stored with unique salt and encryption of certain minimum strength. Or a law preventing IoT devices from functioning on a network when their password is still set to the default.

How do you fail to see how simple actions such as these would help?

[trey-jones]

Both examples that you give are sound, and I would support regulations that enforced these basic security guidelines. The question is whether these are the types of regulations we would get. I expect there would be rather a lot of useless and silly regulations that do nothing but drive up costs.

[varrock]

This is not a rhetorical question, I'm just trying to better understand how this process would work. Who would be designing and brainstorming these laws in the government?

[trey-jones]

I do not know the answer to this question. It seems reasonable that a "committee of experts" would be designated by the politicians for this purpose, but I don't feel confident that one could be sure of the expertise involved, or whose interests would be served.

[RegBarclay]

>We have government auditors come and review our technology once a year. These guys don't know what the hell they are doing. We have had blatant security problems (now addressed) that they couldn't see right in front of their nose.

I've seen the same issues in SarbOx audits. The auditors don't know beans about the underlying technologies. A lot of evidence requests take the form of screen captures showing x. Well... I can give you a screen capture showing you whatever you want whether it represents reality or not. Ultimately, with our without regulation, it comes down to people being honest professionals. Regulation is all for show.

[bliblah]

>In my experience, the threat/worry of bad publicity is actually the best motivator in a company getting their security up to par.

I think the Equifax debacle has shown otherwise.

Big corps have too much Lobbying power and PR presence for public shame to make a lasting impression. Facebook is on the hot seat right now but that too will pass since legislators are fickle and myopic. Heck Google straight up shut down G+ because of "Security Concerns" and no one batted an eye.

[mannykannot]

> In my experience, the threat/worry of bad publicity is actually the best motivator in a company getting their security up to par.

The banking industry got the regulation it has now because this did not work.

If the situation is as bad as you describe, then apparently not even the threat of government regulation was sufficient motivation for banks to get their act together.

[candiodari]

And as we noticed in 2000, 2008 and in the EU crises:

Regulation does not work either. For 2 main reasons:

* Regulations are stupid and do not catch all problems, which then causes those uncaught problems to become systemic and threaten not just the bank, but the entire country, because regulation often also forbids or discourages banks from checking other problems (or at the very least pushes an attitude of "if you check compliance with the regulations, security check done"

* Governments cannot be trusted to carry out the regulations ("too big to fail")

[dkrich]

This is all true. Security is best implemented when it’s baked into an organization’s processes. The government barely has enough budget to pay for server space let alone invest heavily into dedicated security teams. Most work is handed off to outside private contractors but they are hamstrung by the same budget issues.

Security concerns are almost certainly best handled by private industry except in rare cases like national security or the public markets. For example if Boeing becomes known for being easily hacked and flying unsafe planes, how long do you suppose they’ll be around?

A company’s livelihood relies on the perception of being secure and they are well aware of this so the ones that want to succeed absolutely invest very heavily in security. A successful hack doesn’t mean companies don’t invest in security or that people don’t pay for it.

[pixl97]

Companies lived are on the line, I mean it is terrible that Equifax doesn't exist after losing all that customer data after being hacked...

Wait

[gkya]

I'm going to exploit this comment which is at the top of the thread and stands above another comment that argues against government regulation in software industry to tell you guys this: hopefully this industry will be regulated from top to bottom before too long. GDPR came, hopefully more will come, w.r.t. security, privacy, and even UX standards (e.g. all companies should be required to accomodate all sorts of disabled people, probably by allowing assistive tech in browser to work properly on their websites).

You guys will not and want not to fix the status quo where shitty software is pushed onto us. You guys will not stop implementing unethical, "agressive" software. So someone should be watching over you, entrepreneurs and devs, and that someone is the government.

Government regulation need not be perfect. But it needs be there. That means companies will be more incentivised to keep their shit together. Surely your bank would be doing worse if nobody was watching over. If more budget and worktime is devoted to such regulation, it will become better.

I understand that no regulation is a strong political position in the US, but I call bullshit on it. I wouldn't bother writing as I'm mostly at the user side of things these days but I wanted to write this given most of you are devs here. It is not about some silly social network or an irrelevant SaaS anymore. The world runs on this, software is as important as medicine and food to our livelihood, and the software industry needs to be regulated like medicine or food industries are. Something simple like Twitter and Facebook affects lives of the masses. You'll have to get your... act together.

[beaconstudios]

Your argument is that banks don't have the will to fix security issues. The parent was arguing that security is hard and that the government is not particularly competent at it so is not in a position to define raised standards. You're not even having the same conversation.

[cm2187]

Some complex CPU or encryption bugs is what makes full security hard. But most security breaches are because of people doing stupid things. Unprotected public databases or s3 buckets, sql injections, plain text / easy to guess passwords, out of date software, etc. I am ready to bet that those alone constitute more than 90% of the breaches. And this is the result of mere amateurism. If tech people do not care about security or aren't competent enough to take even the most basic steps, regulation is absolutely the right response.

[beaconstudios]

So make banks liable for damages as a result of losses from security breaches. Presumably they already are. That solves the problem.

[mhjas]

> The parent was arguing that security is hard [...]

It isn't though, at least not compared to the state of things. Pretty much any government would be competent enough to mandate some sort of two-factor authentication that would greatly improve security and make a lot of phishing and hijacking a thing of the past. Of course different governments would have different success rates, if not in terms of security at least in terms of elegance. But that is like everything else. People die everyday by the lack of road safety and healthcare.

[beaconstudios]

I used to work in the security industry, I've seen what government compliance looks like. Regulations usually sound logical and great from a shallow analysis but once you've seen some implemented you'll realise they're often atrocious at achieving their intent.

[gkya]

And what impedes their ameliorement so as to dismiss them in their entirety?

[beaconstudios]

I'm not trying to say that regulations can't and never work, just that most of the time they don't because they're extremely hard to get right. They suffer from the same problems as law - it's extremely difficult to codify intent. Couple that with the fact that lawmakers usually have very little awareness of technical details. Say for example they do in fact mandate 2FA for all banks. But then all banks rush out various implementations to meet the requirements. Some provide SMS-based solutions which have known security risks, some provide codes that don't lock out, some do everything right but now people who can't get a 2FA app (those who don't have smartphones for example) can't access online banking any more. There are accessibility concerns. In the meantime, the security industry has finally cracked federated identity, but banks can't offer it because all access has to be through their 2FA solution.

Obviously that's a fairly bad-case (though not worst-case) example of how things could play out, but I think it serves to prove my point that "just force them to do X" is not always a sound approach. Well-designed regulation using sufficient consultation with experts (actual experts rather than snake-oil consultancies) and with a view to the future and how the state of the art might change can be effective (though still not flexible enough to accommodate exceptional circumstances) but that's the exception rather than the rule.

[candiodari]

Oh yeah ... I see it now. Instead of the "do you accept cookies" in your face idiocies we now need to identify ourselves using 2 factor authentication on every website.

That sounds SO great.

Obviously there are no realistic security measures that are 100% effective. All this will amount to is further cementing the power of large internet companies. You know this, so why ask for it ?

[mhjas]

"Do you accept cookies" is only relevant because there isn't a separate login mechanism in HTTP. Actually knowing whether you are sharing data with the website, and what website that is, would be a major improvement. Security measures don't have to be 100% effective. Just like road safety you should focus removing the impact of flaws, not to prevent flaws as such. A separate authentication mechanism would remove a large amount of security issues, including potentially phishing and password leaks entirely. These common security issues of compromising the system of the user or the company would simply not have the same impact anymore.

A not insignificant part of the large Internet companies power comes from that they are the only ones who can handle, or people trust to handle, security. It isn't that hard today to create your own e-mail system or smart phone. But managing those systems, especially for a reasonable cost at scale, is just beyond what most new entrants in the market can handle.

[candiodari]

Government mandated authentication mechanism. This question is almost a joke: what could go wrong ?

Everything can go wrong.

> A not insignificant part of the large Internet companies power

So it's about breaking the power of large internet companies ? Figures. Can we please do that WITHOUT destroying the web ? The last regulation that tried to break the power of large internet companies was the GPDR, and that has significantly entrenched the position of the large internet companies instead, while creating a ridiculous amount of inconvenience for everybody. This ... will do the same.

People WANT to share that data. Or perhaps I should say, they want the things that happen when they do. Quick searches that get them the products they want, on Google, on Amazon, on clothing shops and on tons of small webshops. Even the obnoxious image ads. People want them.

That means that a login mechanism will just be an extra hurdle with zero of the effects you want.

[gkya]

Taking an argument to its extreme is bound to make it seem ridiculous. Certain websites require certain levels of security. Not every govt building has troops with war grade guns waiting them.

[candiodari]

Perhaps, but would you have said the same if I put a comment about "accept cookies" nonsense in a pre-GPDR discussion ?

So ... perhaps not.

[vbezhenar]

GDPR is a terrible law. EU had one terrible law which forced cookie popups on every website and now GDPR forces even more meaningless popups nobody reads and I don't even in EU.

[matthewmacleod]

now GDPR forces even more meaningless popups

But it doesn't.

GDPR forces companies who are collecting user data to obtain explicit consent for that collection. The fact that companies decided to make your user experience shittier instead of fixing their approach to data collection is the problem there.

[Isinlor]

The problem is that people don't care, but governments are trying to force them to care. People don't care, because they don't bother to look for other websites without cookies, so companies don't care either.

If you enforce rule on two parties minding their own business, you encourage changing this rule in some type of mindless ritual. Ok, we will do what you say in the letter of the law, but we won't try to follow the spirit because no one cares.

And this is exactly what is happening with cookies. Companies don't want legal risks(GDPR or not), consumers don't care, voilà! Mindless cookie banners, stupidly long and expansive Terms of Service, etc.

[lambdadmitry]

That's a very bad argument. Sure, people may not care enough now, but that's just because the threat is new and poorly understood. There was a time where people didn't care about getting lung cancer from smoking, but then it changed.

[gkya]

I would become an EU citizen if I could the day GDPR went official. It is the second best thing to happen after the invention of WWW itself in this industry. Hopefully more is to come and more countries adopt similar measures, and browsers start providing standardised UI for GDPR etc. related options so that those popups, if they exist, are rendered futile.

[sievebrain]

Browsers already offered standardised UI for accepting or rejecting cookies. The EU didn't care and now every website has its own totally non standard popup that can't be scripted or automated away. It's a disaster that shows how clueless governments can be about this stuff.

[yankeehue]

Government's move slowly. Security best practices are evolving quickly.

My team is working through FedRAMP/NIST compliance right now. We have sadly adopted the saying, "Security or compliance, choose one." We have literally rolled back a more secure implementation in order to be compliant. Regulations can't keep up.

I'm not ideologically against regulating the software industry, but I have doubts it can be done successfully.

[candiodari]

> Surely your bank would be doing worse if nobody was watching over. If more budget and worktime is devoted to such regulation, it will become better.

Banks that got into trouble recently:

* Cypriot banks

* Greek banks

* Monte Dei Paschi

What has the government done : None of the savers still have 100% of their money. So no, I don't think my bank would be doing worse ...

Or perhaps you mean the expert government handling of the bank problems of 2008 ? Yeah ...

So what was the point again ?

[gkya]

Wut? We write bugs all day every day, we should just quit coding entirely if we follow that sort of logic. Mistakes happen, they get fixed, those in good faith among us help them get fixed.

[rapind]

I tend to agree that there needs to be some regulation. Probably as simple as fines for breaches that are based on the volume and details of the data leaked. This will make business think twice about what they store. It also makes it easier for providers / devs to argue for increased security if it's legally required.

Users (the market) are a big part of the problem. I run a SASS product, and I've chosen to enforce a Magic Link login for (one-time token based sign in, like Slack), to mitigate the issue of horrible insecure user passwords (E.g. sn0w3d1n). I get a significant amount of pushback on this though, and it was probably a bad idea from a business perspective, but luckily I'm in a position to force it anyways.

It's a simple formula. When you increase security, you also decrease convenience. My hope has been that the market eventually demands security (it becomes a service differentiator people value), and maybe some day it will. But you're probably right in that we need big brother to enforce it on people's behalf because most care more about convenience than security and probably don't realize how much damage could be done to them by using the same terrible password for 10 different web sites (including email and banking). I generally take a libertarian point of view on most things, but not exclusively. I do think we benefit from government involvement in some issues, and this is probably one of them. I don't mean to say this from an elitist point of view either. Security is complex and people are busy. It's naive to expect everyone to grok it.

I'd love to enforce 2FA, but it's going to be a complete mutiny from my customers if I do.

[matt4077]

Banking seems to be doing pretty fine, actually. Can't remember any cases where customers lost money.

So maybe they are doing something right.

> the threat/worry of bad publicity

Yeah , that hasn't worked for Exxon Valdez, nor for any of the recent data dump incidents.

[chewz]

To the contrary. Banking is scared shitless. Internet access to banking account is not a matter of if you lose money but when.

The Underworld is now multibilion dollars business and is getting better at it's trade with every day. It is relatively safe and lucrative.

Identity theft, SIM swap, SWIFT half a bilion dollars theft in Bangladesh, South Africa - Japan credit cards. Just to name a few.

Remember that money at the end of the day is based on trust. If you cannot trust that the money on your account are safe. Or if your money is not liquid because banks have to manualy verify dubious transactions then your money are loosing value.

1 https://en.m.wikipedia.org/wiki/Bangladesh_Bank_robbery

2 https://www.bbc.com/news/world-asia-36357182

3 http://fortune.com/2017/05/05/wire-transfer-fraud-emails/

[_puk]

Presumably we're ignoring Identity Fraud when we say banking is doing pretty fine?

Obligatory Mitchell and Webb "Identity Theft" link: https://www.youtube.com/watch?v=CS9ptA3Ya9E

[amelius]

Banks are doing security right because it is in their best interest.

The average IT company however doesn't care much about leaks of customer data, except perhaps for the publicity effects.