Hacker News new | ask | show | jobs
by roc 5410 days ago
> "it seems like there's nothing America can do to defend itself."

We could consider a legal requirement to disclose security breaches. If every firm that failed its customers had to admit it to the market, I would think financial pressure would move us toward more effective security fairly quickly.
1 comments
127001brewer 5410 days ago
States have already been passing such laws for security breaches that contain personal identifiable information since 2002:

http://en.wikipedia.org/wiki/Security_breach_notification_la...

It has to be considered that effective security has significant costs financially and non-financially. (An example of a non-financial cost is a overly difficult registration process for a web application that requires long, complex passwords with multiple security questions and answers.)

link
roc 5410 days ago
I was thinking more about the systems for major banks, defense contractors, industry suppliers, etc.

And effective security wasn't meant to imply the best thing you can think of. It would be a huge step forward if more people simply did the things we all know we should be doing: e.g. policies of accounts not having more access than necessary, network security not 100% focused on the firewall, etc.

link
127001brewer 5410 days ago
It would be a huge step forward if more people simply did the things we all know we should be doing...

That's what I mean by "effective security".

Although security breaches at banks should fall under such laws (especially since they have personal identifiable information), I do not believe defense contractors, energy concerns, industrial suppliers, etc, should even acknowledge such breaches simply because of national security.

link
roc 5410 days ago
> "That's what I mean by "effective security"."

That stuff doesn't cost all that much more. It's non-trivial, sure. But it's not going to make a huge impact on the bottom line. A demand for it would end up costing enterprise software suppliers quite a bit in one-time costs to clean up their code-bases and standard install practices.

> "I do not believe defense contractors, energy concerns, industrial suppliers, etc, should even acknowledge such breaches simply because of national security."

Perhaps not to the general public, but certainly they should be required to disclose to their clients.

link