Microsoft president asks Congress to force private-sector orgs to admit when they've been hacked The private sector should be legally obliged to disclose any major hacks of their systems, says Microsoft’s president and top lawyer Brad Smith. Speaking at a Senate Intelligence Committee hearing on Tuesday regarding the SolarWinds backdoor, through which suspected Russian agents infiltrated the computers of US government …
Perhaps Microsoft should be made to run an ad campaign each & every week on each & every radio & TV channel.
The 30 second spot (sometimes a monthly 60 second bumper edition) should list all the vulnerabilities and bugs in their systems, when they were discovered and when they were fixed.
Since almost everyone on planet earth is touched by Microsoft, this seems appropriate.
You forget that this is a discussion of a government run operation. Even in Russia a team of 5 or 6 engineers (the sophistication of this is well above semi competent) working for a government department will have 15 other engineers who are clocking in and out each day but not really contributing much, 20 project managers, 50 programme managers, a finance department, political officer, a bunch of enterprise architects that no one knows what they do, and an HR department to run all of that.
So, we have this thing in the EU called GDPR which does just that. Now who's got egg on their face?
/snark mode off
Yes, I know gloating is unbecoming but considering the amount of anti-EU=Anti-GDPR postings the past year alone, this feels good.
And TBH, I think California, New York and IIRC 2 or 3 other states individually have somewhat similar and strict regulations to varying degrees.
Article 33(1) Notification of a personal data breach to the supervisory authority
... unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons.
So even under the GDPR there's an escape clause.
As practically no data controller ever considers the rights and freedoms of data subjects, the majority of data breaches are likely to go unreported. Where they are reported, it's usually driven by embarrassment, triggered by some outside agency such as the press picking up on it.
Sorry to contradict you, but, that's not entirely as easy as it sounds. IANAL, but GDPR Article 33 ends as follows: "Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay."
My understanding of this clause is that it doesn't absolve the data controller of their reporting responsibilities but merely extends the 72hr window to whatever the data controller can argue was a "reasonable" time period to prevent/mitigate risks to rights and freedoms of persons and so on.
If (or rather when) the breach eventually becomes known and the controller can't sufficiently justify the risks that they purportedly were mitigating whilst violating the 72 hours rule, well - let's just say some bigwigs@data-controller might have a harder time collecting their undoubtedly well deserved bonuses.
@NoKangaroosInAustria
The clause is open to more than one interpretation, and there has so far been no case usable to set a precedent. However the ICO has in the early days advised against "over-reporting" of "minor" data breaches, so there is indeed apparently some (ill-defined) latitude as whether to report or not. And of course if a breach is not self-reported or externally reported on, who is to know it occurred?
Quote: "The private sector should be legally obliged to disclose any major hacks of their systems, says Microsoft’s president and top lawyer Brad Smith."
*
And most times, that would not protect anyone.......the SolarWinds attack was found LONG AFTER THE HACKERS STARTED HACKING.
*
The Equifax hack was found..................LONG AFTER THE HACKERS STARTED HACKING.
*
...........and so on. Horse....stable door......oh dear!
*
And as for GDPR......Google, FB, Palantir....and hundreds of other "aggregators" are packaging and selling PII to thousands of clients. How in the world could anyone ever understand where PII was stored....never mind whether the data was accurate....never mind the "right to be forgotten". GDPR is a joke!!
*
1999: https://www.wired.com/1999/01/sun-on-privacy-get-over-it/
2015: https://www.wired.com/2015/11/yes-the-nsa-worried-about-whether-spying-would-backfire/
2018: https://www.bloomberg.com/features/2018-palantir-peter-thiel/
RE: "GDPR is a joke".
You have a right to your opinion of course. And while you are free to think of GDPR as "a joke", a couple of companies would strongly disagree. Please refer to this website that tracks GDPR fines: www.enforcementtracker.com
California's breach notification laws are surprisingly powerful tools. Yes, there is an escape clause if the personal information was encrypted (and yes, it is defined enough that double ROT-13 doesn't count). Yes, it has to impact 500 residents of California, but it's surprisingly powerful, to the point that long before I lived in California, I had to be aware of it routinely. The long arm clauses makes even businesses that don't "exist" in the state still have to notify people of breaches, so reorganizing in Texas or Delaware doesn't protect the business.
As I understand, New York State also has similar laws, though I have not sat down and analyzed them.
I suspect that some of these companies would like to see a single federal standard breach notification law rather than state by state requirements that differ slightly in what constitutes personal information, what protections exist, etc.
I think we all need to show due diligence, but this message is a bit hard to swallow when its coming from fucking Microsoft
Didn’t they hose a load of peoples data not too long ago in one of their many botched patches if a certain folder caching policy was enabled?
We got Bill fuckin Gates leading the charge against infectious diseases, the man who spawned an operating system that has more holes than a 3rd degree burns victim
I doubt if [ American Schooling ] Voucher Schools have much to do with helping the 'poor' by defunding the public schools. And as for other things since when is it acceptable for private foundations to influence public policy ? As with Bloomberg, another rich wretch who seeks to use his billions to control peoples.
Notably with The War on Vaping; down to one individual's personal objections.
In accordance with Bloomberg’s agenda, these groups have directed a significant amount of their energy on low- and middle-income countries. Using their money, clout, and connections, they impose their views and will on these nations, without the input of local populations and with little or no regard for their specific circumstances, needs, and values. In the midst of a wave of interest in “decolonializing” public health, this sort of patronizing interference, well-intentioned though it may be, deserves scrutiny.
.
https://insidesources.com/bloombergs-philanthro-colonialism-a-threat-to-global-health-and-science/
Just this morning I went to report to MS that we received a phishing Email with a link to "malware hosted on their dynamics.com domain."
There is literally no way to report it. Even called them, unless I would give them an account number, they didn't care.
MS needs to get their cranium out of their donkey before they tell anyone else to be responsible.
What’s Microsoft’s angle? Admitting to the world you have been hacked is not good for any company’s business Microsoft included. What’s in it for Microsoft by making the private sector legally obliged to disclose any major hacks of their systems?
Or is it just a case of, they have seen the writing on the wall and this will eventually happen so they are just trying to get out and in front of it.
If you want to exploit government and big business networks, you WANT people to have less trust in patches and security updates. From the perspective of the attacker their attack method wasn't reckless, it was genius because it accomplished one short term goal (breaking all the Solarwinds stuff) and one long term goal (potentially making some people less willing to install patches, or wait longer before they do)
Would you also support fines for companies that repeatedly take a year or more to address reports of security issues?
That repeatedly send out software updates that create new security vulnerabilities?
That repeatedly introduce tools that create obvious attack surfaces?
That repeatedly ship software with unsafe defaults?
Just wondering.
disclosures could be made to government-level watchdogs in exchange for limited liability protections, for instance. They may not necessarily have to be fully public disclosures, either
So, normal people not associated with gov. or who don't have deep pockets will still be screwed, in one side the hackers, on the other side if gov. decides the hack is useful to them, probably will keep it quiet for a while.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
