Overall, I don't support this bill either. However, I do support some industries requiring certified security professionals, specifically those involved in e-commerce. I've seen some pretty horrific e-commerce code out there. I'll just say that there are very few sites I will submit my credit card info too.
At 8/28/09 06:34 PM, TheShrike wrote:
I don't support this.
That said, I understand the reasoning. In the event of a true international all-out cyberwar, common people's computers could be infected with viruses that target infrastructure systems via the net, and this would give the government the power to instruct providers to cut access wholesale to prevent spread and ongoing attacks.
Honestly, I think that is just a stop gap. I don't think you critical infrastructure is connected to the internet, but if it is, then it needs to be converted to an isolated network ASAP. While I can understand concerns over cost, it is an unnecessary security risk to expose those systems to the net at large. As for e-commerce, I do think there needs to be tighter regulation on the code. The more information you store, the more regulation you need.
Design an agency to find and require fixes for software exploits...
I'm on the fence about this idea. It sounds good in theory, but given the amount of software out there, the agency would have to be massive. Also, it's not just the software that they have to watch. They will also have to inspect the configurations of software deployed on the net to make sure that it is configured properly, and even that won't allow them to find all of the holes. Even with all precautions in place, all it takes is an employee with a easily guessed password to blow the whole system wide open. This is one of those cases where I think it is better to put the onus on private industry to hire certified security experts to handle these matters. The problem is too massive for the government to deal with.
But don't get people who're already wound-up more panic ammo.