So you'd like to have agencies set up to fine every company that gets hacked through 'known vulnerabilities'? Enforcing this arbitrarily after big hacks is hardly an equivalent analogy to enforcing traffic violations. It'd have to be consistent, well defined, and widely enforced to be at all effective.
To me this is an emotional reaction that has no regard for cause/effect.
>So you'd like to have agencies set up to fine every company that gets hacked through 'known vulnerabilities'?
Not exactly, but I do feel that entities recklessly handling PII or possibly in this case their update servers should face consequences.
>Enforcing this arbitrarily after big hacks is hardly an equivalent analogy to enforcing traffic violations. It'd have to be consistent, well defined, and widely enforced to be at all effective.
We definitely agree on this.
>To me this is an emotional reaction that has no regard for cause/effect.
The end result will likely result in more companies wasting time of useless theatrics like PCI compliance to protect themselves from legal liability rather than meaningfully protecting users data and preventing their systems from being launch points for bigger attacks.
This is why I'm highly doubtful about the ROI of burdening companies, courts, and law enforcement with this 'solution'.
Even though it feels good to punish a faceless corporation for making a seemingly obvious mistake.
What's wrong with a PCI-like compliance that ensures companies that affect this many people have their servers patched on a regular basis?
Rubber stamps like PCI compliance might look like time wasters. Not all of them are. Given the huge increase in the amount of online credit card transactions, the number of cases where payment information is compromised is very low. That is partly due to PCI compliance IMO.
You wouldn't introduce these fines just like that of course. You would have some reasonable formal procedure. For example, the bug must be documented somewhere (publicly or not), such as in a CVE, and you must been given enough time to fix it.
I think this is absolutely necessary in these days where vulnerable IOT devices are made into botnets, that people are held responsible for neglegience. The damage this can cause is potentially huge.
There should also be a way to punish people if they find a vulnerability internally, and willfully neglect to fix it. The bar for this should be reasonably high, but it is IMHO the same as if a car manufacturer finds a problem with their brakes and ignores it.
Also, there probably would have to be a way for a manufacturer to throw their hands up and say "sorry, we can't fix this" - declaring technical debt bankruptcy. In that case, I think it should not necessarily result in criminal charges, but it must have some consequences. Maybe allowing third parties to take the code and deploy fixes, maybe banning sales, you lose IP, or have to pay a fine.
> Enforcing this arbitrarily after big hacks is hardly an equivalent analogy to enforcing traffic violations. It'd have to be consistent, well defined, and widely enforced to be at all effective.
"Consistent" and "widely enforced" don't apply to traffic violations either.
Criminal negligence usually has to cause death or something serious like that. Not sure why it shouldn't be extended to causing other types of harm. In this case, it seems like they were warned they were putting their customers at risk and did it anyway. That seems much more serious than just having a bug.
this amounts to enforcing whatever the software vendor of choice wants to install on your drive. Taking the choice out of a update by law- without a counter law enforcing that at least two suppliers of choice exist - that is really sinister.
Why not? Incompetent vehicle operators regularly face criminal charges too.