[Kalium]

Advising companies that they can and should fix things is actually the easy part. Getting things fixed in a way that makes companies happy is actually incredibly difficult. You're proposing a government agency get its hands dirty fixining thousands upon thousands of bizarro line-of-business applications and mission-critical excel macros. Convincing companies to update what they see as systems that "work just fine" tends to be a Herculean task even when you can make a business case for taking on the expense and risk.

Telling a company "The government says you have to patch and is offering to do it for you" seems like it might not go over quite as well as you might hope. I can already see the first thought - "Do they actually care if all my systems work the way I need them to afterwards?". Having worked in Information Security and offered to fix things for people, my experience is that entities going for this is extremely rare, even when it's just the next department over.

As for the NSA, well, getting them into a proactive posture is a wonderful idea! It's such a good idea that the US government decided you were right decades ago. And acted accordingly. This tends not to make the news, so many people are understandably ignorant. For example, the NSA publishes information assurance best practices: https://apps.nsa.gov/iaarchive/library/ia-guidance/ia-standa...

[helen___keller]

>Convincing companies to update what they see as systems that "work just fine" tends to be a Herculean task even when you can make a business case for taking on the expense and risk.

>Telling a company "The government says you have to patch and is offering to do it for you" seems like it might not go over quite as well as you might hope.

I think a better idea is to have the new agency play an advisory / supplemental role but otherwise place the burden of fix on the company itself. It just needs teeth for entities unwilling to adequately resolve their IT failures.

The EPA will bring suit to companies polluting illegally. Why shouldn't a government agency bring suit to companies or cities risking a leak of hundreds of millions of social security numbers, for example?

[consumer451]

> The EPA will bring suit to companies polluting illegally. Why shouldn't a government agency bring suit to companies or cities risking a leak of hundreds of millions of social security numbers, for example?

Maybe at first we could try an in-between solution. I hate to water things down but maybe a scheme like a USDA Prime Beef label[0] would be more likely to actually pull off?

If there was a NIST Certified logo on one bank/app/merchant/site that asks for personal info, and not another, I would be much more likely to go with the NIST one. Obviously credit agencies and gov systems need to go first.

>In the United States, the United States Department of Agriculture's (USDA's) Agricultural Marketing Service (AMS) operates a voluntary beef grading program that began in 1917. A meat processor pays for a trained AMS meat grader to grade whole carcasses at the abattoir. Such processors are required to comply with Food Safety and Inspection Service (FSIS) grade labeling procedures. The official USDA grade designation can appear as markings on retail containers, individual bags, or on USDA shield stamps, as well as on legible roller brands appearing on the meat itself.

[0] https://en.wikipedia.org/wiki/Beef_carcass_classification

[AWildC182]

"When a measure becomes a target, it ceases to be a good measure."

This sounds nice, but I can't help but feel like this could end up being abused...somehow.

[consumer451]

I completely sympathize with that line of thought, but if I take that position to its logical ends then I find myself nihilistic.

[Kalium]

A hypothetical regulatory regime to mandate and enforce patching and other good practices?

It's worth thinking about. It might also be worth considering if we think there's a good way to get there without doing more harm than good. Congress is not always known for their high-quality technical regulatory work.

[didericis]

Agreed. HIPPA is not exactly a promising precedent.

Regulation would almost certainly lag at least a couple years behind and end up making software and IT maintenance much more expensive without making it that much more secure. I don’t think I like this idea, but imagine if marketers for more robust, secure IT solutions were legally allowed to show you how they can spy on you as a part of an ad. That opens up a huge can of worms that is probably best left closed, but I think it’d act like steroids for getting people to upgrade their insecure stuff.

[nradov]

What is your concern with HIPAA? There have been occasional breaches in covered entities, but overall the rules have significantly improved security and privacy in healthcare.

[txcwpalpha]

I spent years as a infosec consultant specialized in major healthcare companies, and my experience is completely the opposite. It is absurdly easy to be 'compliant' with the HIPAA security rule yet still have abysmal security.

The biggest issue IMO with the HIPAA SR is that it is first and foremost a legal matter that involves legal teams, and is not very good at being a technology matter that effectively prescribes security to security teams. Most of the HIPAA-motivated companies I worked with spent more effort getting their legal counsel to build a HIPAA litigation shield (via intercepting and carefully massaging the wording of security assessments) than they did getting their security teams to actually improve anything.

I did have some clients that saw HIPAA as only a foundation and guidelines for truly improving their security, but that was more a matter of the company actually caring about security, and not because the HIPAA security rule is actually effective.

[nradov]

There will always be some organizations that do the minimum necessary to check some sort of "compliance" checkbox. However you can't deny that overall the healthcare industry as a whole has better security and security controls than they would if HIPAA had never been enacted.

[VLM]

With respect to the EPA, its worth pointing out they'll only punish significant point sources.

For example a sewage treatment plant dumping raw untreated sewage will get punished. However a city with a major homeless problem where many thousands poop on the street will not be punished for a larger release of untreated raw sewage.

Its kinda similar with major organizations and IT. If there's a policy with the correct checkboxes and strong sounding speeches and firmly worded emails were produced by executives, it doesn't matter if there's some individual unpatched Win95 machine running mission critical tasks, even if there's thousands of those supposedly isolated individual case systems.

[grogenaut]

Because we as a society have yet decided that it's bad. Just like we used to not think environmental pollution was bad, or at least with stunting businesses.

[tynpeddler]

The SEC (before it was neutered) may be a better model. It's a group of hackers that investigates government and industry infrastructure for problems. They can warn parties if they find an issue, and if the issue isn't fixed, this group could bring civil, and maybe even criminal, proceedings against the parties.

[__jal]

> It's such a good idea that the US government decided you were right decades ago.

Perhaps, but it is hardly a universal belief that they have the balance right.

It is hard to pick a starting point to get in to this discussion, because it has been going on for a long time and is really complicated, not to mention largely classified. Perhaps one that dovetails into the encryption debate will be as good as any:

https://www.lawfareblog.com/good-defense-good-offense-nsa-my...

[solotronics]

Hack things apply crypto locker and unlock after the user does a a free cyber security training course.