As lawmakers mull outlawing poor security, what can they really do to tackle online gangs? In some ways, the ransomware landscape in 2023 remained unchanged from the way it looked in previous years. Vendor reports continue to show a rise in attacks, major organizations are still getting hit, and the inherent issues that enable it as a business model remain unaddressed. Yet what 2023 may be remembered for is how law …
Make it illegal to pay fines.
Make it illegal to insure against it.
Make it mandatory to report the measures you're taking.
Put board members, directors and shareholders in prison when their main countermeasure is a pre-prepared "We take security extremely seriously" statement.
That's just me brainstorming on my own and ignoring the ones relating to judicial killings of the perps.
How much more secure Hospitals would be if they stop using the internet and return to exchanging data via faxes - back in the days before the internet was available outside the military we only occasionally got a letter or fax theft attempt. They were easy to immediately put in the trash can in those days. Abandoning the internet would be miserable but being safe would keep the medical world working well - if data is hard to exchange then workers at both ends will look at it well.
"Make it illegal to insure against it."
The way to do that would be, enforce that companies treating personal data MUST (a) pay each person whose data is lost a fine (to the individual not a fine levied by the government!!) and (b) have cyber-insurance that specifically covers such payment in full. The market will ensure that insurers will audit the security of prospective clients and only accept to insure the ones they find safe and/or have exclusions that will make the company bear the costs if it is hacked because of shoddy security.
There needs to be the same sort of arrangement that banks have with their insurers around the physical security of cash and digital security of online banking
Not really practicable, as no developer, vendor or organisation actually intends to deliver poor security -- it's always an accidental outcome of insufficient understanding, expertise, attention or some mix of all three. The fundamental contributor to better security which nobody seems willing to discuss is improved education for all concerned -- including robust validation of competence against common standards (provided of course that those standards are adequate).
However pretty much all current standards are based on a consensus of current common practice ,which in many cases does not equate to objectively best practice. As training (and thus current common practice) is generally based on those standards, we're in a closed feedback loop that inhibits (or at worst prevents) improvement. I've been working towards improved infosec education and improved standards for around two decades, but because of this closed feedback loop the resistance to change is ferocious. That's the first and hardest nut we have to crack.
as no developer, vendor or organisation actually intends to deliver poor security -- it's always an accidental outcome of insufficient understanding, expertise, attention or some mix of all three.
No. This is not accidental, but can be attributed to the mix of stupidity, ego and greed. Most businesses don't want to spend on IT. After all this is just some bloke browsing TheReg whole day doing nothing, why pay him six figures? Just get a nephew to install fairywall or whatever this is called, job done.
When I worked on a large project that included some works that were classified as construction we all (directors included) got a full day's lecture on the legal implications of Health and Safety legislation including the fact that we had individual as well as corportate responsibility and that we could be personally prosecuted, put in prison and have our assests seized to pay fines and compensation. The first thing the directors did was put a CDM consultant on a retainer. Everyone got a handbook and it was consulted regularly. Anyone in doubt went and asked for help. The directors didn't ask us to take stupid shortcuts that risked an H&S breach. It worked fine - but only because people knew they could go to prison.
Ditto when I ran a project under ITAR - the threat (whether real or not) of extradition to the US was enough to make everyone take ITAR seriously.
If the same rules applied for cyber security then I assure you things would change pretty quickly and the "accidental outcomes" would disappear because the threat of prison and losing your house really focuses people on understanding, expertise and attention.
when we consider potential victims like hospitals. These types of underfunded institutions that provide critical services cannot afford any downtime, let alone a SOC staffed with world-class talent
This is pure nonsense. Given hospitals are totally fine hiring useless managers at high six figures or paying inflated rates to agencies bringing in temp workers, there is certainly money to be found for proper security.
But first thing that needs to happen is proper dealing with corruption at those places.
You start out paying $6.99 for a single q-tip and it goes up from there.
Hospitals get hit because doctors consider themselves above security and above learning how to use a computer.
Logging in and passwords are something the vulgar plebeians have to do... doctors won't put up with that nonsense!
Send them an email with a link saying "click this to give me ownership of your car and house" and they'll click it faster than a Helium-5 half-life, then blame everyone else for having to walk to a hotel.
"There is also the genuine possibility that the hard work infosec has done to promote a culture of transparency is wholly undone. Attacks could once again be hidden from the public and authorities, and payments continue to flow, but more quietly."
Didn't they say the same thing about it being illegal to pay kidnapper's ransom ?
They still made it illegal.
It worked.
from the article:
" ... the lack of arrests remains a concern. "
" Governments will have crucial roles in the fight against ransomware."
What we have seen over the last ten years is a clear shift from independent criminals (Pirate) to state tolerated/sponsored actors (Privateers), in a handful of rogue states: Russia, China, Iran, N.Korea
Surely putting more pressure on organizations to improve security is going to (marginally) improve the situation, but no medium size business is going to be able to match the challenge of state approved actors. No action from law enforcement will be decisive unless offshore bases for cybercrime are disrupted.
Until the 19th century privateers from North Africa harassed Mediterranean trade, until punitive actions by western powers destroyed or dissuaded the sponsors. That's what's needed right now.
If lawmakers are going to be part of the cybercrime discussion, they need to understand this reality, otherwise we'll just get another layer of regulatory burden while perpetrators laugh all the way from Moscow to Dubai.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
