Opinions - Will the internet be regulated?

I saw this article today that talked about the government regulating computer security in cars. I understand the main reason is personal safety, but it begs the question when will the government step in to regulate the internet in general because of the explosion of cyber attacks. The internet currently is the Wild West and I believe if we, as information security professionals, don’t solve the current threats somehow that the government will step in and solve it for us. Could that be in the form of paying to use the internet or government issued accounts? Just from the technological side of it and not the political side of it, I would like to hear your opinions or ideas about that.

Find more posts tagged with

Comments

paul78

What do you mean by "regulated"? Many aspects of the Internet inside specific nation-states are already regulated. China being a prime example.

My own personal interest is around net-neutrality and privacy so I generally only follow those regulations.

TheFORCE

Many countries already regulate the interwebs.

GeekyChick

Yes, exactly like China, but I"m talking about in America mostly or the western world. I guess I should have been more specific since there are people on here from other countries. (Yes, another American who only thinks about themselves.) But I am wondering what might be the solution to all of the cyber attacks and I'm thinking the government(s) may see their control of it as the solution. Whether it's shutting down access when necessary or taxes, whatever. Anyway, I wanted to see if others have a different view and what that might be. Or do you see the internet as being controlled right now? I'm just curious as far as predictions because sometimes I see fighting cyber attacks as a losing battle.

TeKniques

The premise that by the government stepping in will somehow be a silver bullet is folly at best. To fight cyber attacks there's only so much that can be done. A mature IT department that keeps up on patching, implements best standards, has enough resources to be able to monitor and respond to anomalous behavior, and awareness by the end user are probably the best bet to fight cyber attacks. Some good technology to assist is out there - more times than not though it turns into shelfware as there's no one to support it and keep it optimal.

GeekyChick

With the IoTs we have a whole different ballgame. There won't be an IT department to protect the attacks (like ransomware) on people in their own homes. I don't want to see the government get involved either, but I'm not sure the powers-that-be would agree. The next few years will be very interesting. I just like philosophical discussions.

dhay13

Most of what gov't touches ends up worse after they get their fingers in it

jcundiff

I dont see it happening... the American public would not stand for it and any politician pushing it would be committing political suicide. Plus with their track history in recent years ( OPM and IRS breaches just as an example, there are a few others), their ability to stop ransomware and IoT based DDoS attacks is nonexistent, nor will it be up to speed anytime in the next 5-10 years. What I do see from regulated industry perspective is a huge push for NIST-CSF... in that the govt won't mandate that you (company) must use the framework, but if you are breached and were not adhering to it, you better have a damn good reason why.

PocketLumberjack

I think we are thinking about this the wrong way. The government stepping in would be more likely big fines for companies that show neglect for securing their devices, D-Link comes to mind as it is recent. I think it will be more lawyers and regulations about consumer security than filter content. Remember governments were formed because we all decided to give up some rights for safety, trust me swimming alone at sea is not the kind of "freedom" you actually want. Put more faith into your government and your life will be happier, if you don't like a decision call your congressman. When a congressman makes a poor decisions their phones should be DDOSed by their constituents.

Sorry for the rant, we all have a stake in making the world a better place...

GeekyChick

That's a good point. I could only imagine the lawsuits that will come out of the NIST-CSF. Some neglect is obvious, but what about if the company is securing everything the best it can and an employee clicks on the wrong email or lets the wrong person in?

jcundiff

GeekyChick wrote: »

That's a good point. I could only imagine the lawsuits that will come out of the NIST-CSF. Some neglect is obvious, but what about if the company is securing everything the best it can and an employee clicks on the wrong email or lets the wrong person in?

At the end of the day, its still negligence or control failures...either exchange email filters weren't working, or some employee let someone in they should not have... We stress daily that security is every employee's responsibility... our email filter appliance blocks 99.xxx% on most phishing campaigns, we had a failure due to change one day... in an hour almost 1000 phishing emails came through that resulted in 10 machines having to be re-imaged. the biggest control failure a company has in regards to ransomware is no/insufficient backup strategy implemented... if you have a robust back-up strategy including off-site storage of back ups, you get to spend some man hours restoring, but you are not paying out a ransom... an article I reported on today stated that 48% of companies hit by ransomware in the US pay the ransom... whats that say about their backups?

At the end of the day it all comes back to due care & due diligence before and during an incident. The retailers in all the big named breaches over the last several years were PCI compliant the week their PCI QSA evaluated them, but what did they do to maintain their environment in the weeks between the PCI audit and breach.

If you have customer data, regardless of whether it is PCI or PII, you need to be doing everything you can to safeguard it. This includes vendor/3rd party risk management... you would be amazed how many large companies out there have no clue who is accessing their data and from where. We have to be right 100% of the time, everyday, the bad guys have to get lucky once.

I also read this week that Yahoo had no breach coverage, which to me in this day and time is a failure in due care

DntH8Me

jcundiff wrote: »

I dont see it happening... the American public would not stand for it and any politician pushing it would be committing political suicide.

Not so sure about the American public and placing it in their hands to keep it from happening (any public for that matter). A lot of people can be swayed to vote for something not in their best interest under the guise of security. Ask the average person about Net Neutrality and see the responses that you get. In fact the breaches in your example could be used as political ammo to have the public vote for a regulated net.

dhay13 wrote: »

Most of what gov't touches ends up worse after they get their fingers in it

This is the result in most cases and the reason big ISPs and companies like Verizon lobby for being able to regulate traffic. Who wants to be transported back in time to AOL networks or restricted networks like China. Let the Hunger Games begin

Codeman6669

the internet as a whole is quite insecure. Granted things in general have greatly improved, but its the internet... what were doing now feels regulated. Remember AOL netzero? it was like the wild west.. ICQ? lol everyone hacked everyone, there was no google...no "your results have been removed by the federal bureau of tobacoo and fire arms"(this really happens with pirate bay and many other sites). So to ask will it get regulated is asking will they regulate it more then they already are... because... they are. Just not as much as they can

p@r0tuXus

DntH8Me - I agree with you in that the public can be manipulated. Look at the Celeb Hacks, Ashley Madison, OPM, Target... etc. These attacks are scary to the public, they highlight the insecurity, the threat to privacy and consumer safety as well as state security. The old Hegelian Dialectic would suggest all a state-actor would need to do is create the problem, wait for the reaction, then offer a solution. We know Big Corp is in bed with Big Brother, if one can benefit from the other they usually tend to scratch the other's back. I wouldn't trust either to keep my information secure. That's where smaller companies with innovative, bold technology come into play. Places like protonmail and lavabit.

jdundiff - I think you're right that the threat-vectors exposed to attacks are various and broad. These organizations need to be held to account, by the public, not the gov't. If target loses a ton of consumer information, they should be fined and customers shouldn't shop there. The standards and regulations they're held to are for their benefit as well as the consumers, even the state's security by association (Target shoppers can be gov't employees, right?). So I agree the parties involved in presenting the platform need to be responsible for the safety of the users and responsible when they fail. This is the incentive to keep with the times and technology, as well as employing people who can manage it.

PocketLumberjack - "If voting changed anything, they'd make it illegal." When money is speech, and you don't have any of it, your voice is silent and unheard. Who did the FCC listen to, the people or TWC? If it wasn't for the courts, the merger would have all ready completely killed Net Neutrality. Instead, it's on life-support and the public at large which has a general end-user mindset and lack of technical understanding is too busy buying the latest combustable phone or tablet to understand the loss of privacy. Look at the snowden revalations, next to no one even cares anymore. Most people all ready assumed it was all ready happening and when the media was wrung out to sour the official story with bias, the facts fell to the side as interpretation of his character blotted out the issue. Big Business & Big Brother are not an answer to your problems, they're an answer to your notion of "freedom." Freedom denotes responsibility and we need to assume that risk, not transfer it. As an American, I recognize that's our duty.

GeekyChick

I'm probably more paranoid than others and I'm sure I don't know enough about security to know the answer. But I worry about the IoT and how that will affect our freedom on the internet. The way I see it there's no easy answer to the IoTs. If we, as infosec professionals, can't control the safety online, I imagine the government will gladly step in. What will be their solution, just regulations? Is that enough? For heaven's sake, we will soon have self-driving cars and with UConnect some American cars have wifi right now. And that's just American products who knows what we will get from China. Am I dumb, worried for no reason, do I not get it?

p@r0tuXus

Chew on this for a min...

"In the future, intelligence services might use the loT for identification, surveillance, monitoring, location tracking, and targeting for recruitment, or to gain access to networks or user credentials."

- Feb. 9, Director of National Intelligence James Clapper

Source: http://www.govtech.com/security/Internet-of-Things-Devices-Intelligence-Gathering-Opportunity.html

Deus Ex Machina

I understand your concerns, but I doubt this will ever happen. One reality of American society is that it is very hard to take a right away once it has been given to the people. Enough people are technically savvy that there will be meaningful and effective opposition to any moves taken by the government, rendering their actions ineffective at best and counterproductive at worst.

paul78

In the US - there is more a history of deregulation than regulation. As it pertains to the internet - it is highly unlikely that we will see any type of de-privatization occurring. What is more likely to happen is that we will see regulation that will incentivize private sector to provide internet services which are reliable, secure, (maybe even private) - but in the US there is always competing interest when it comes to privacy. The US government's use of National Security Letters, CALEA, Patriot Act, SCA, etc. - these all laws have impact to the Internet (at least in terms of privacy).

From a security perspective - what recently got passed in 2015 the US was actually pretty weak from the original proposed legislation.

If you are interested in reading recent laws in the US related to cybersecurity - there is a good list here - Cybersecurity Legislation | Cybercrime Laws | Cyber Security News - ISACA

Priston

The only way to stop the internet from being a threat is to simply never connect to the internet.

GeekyChick

Thank you for entertaining my paranoia. You know when a doctor just starts studying to be a doctor almost every condition they read about they believe they have. Well, I think it's the same thing with me. I see unsecured devices everywhere.

You all have some interesting points and a lot of knowledge. I've read all of your comments and have looked at your links. This is really a time of great opportunity in this field and it's exciting to be involved in it. And I'm believing we can secure it all. haha

paul78

@GeekyChick - a little paranoia is healthy. There are unsecured devices and apps everywhere unfortunately - and I don't necessarily expect that to change in the near future - because there are unfortunately also criminals everywhere and technology evolves.

But even as the industry makes strides in securing Internet apps (software) and devices (hardware) - the reality is that securing "wetware" (humans) is still pretty tough

. In Cybersecurity, the weakest link is still the individual consumer or the company employee.

One of my favorites talks on the subject is from Defcon 19 - if you have never seen it, it's here - https://www.youtube.com/watch?v=JsVtHqICeKE

GeekyChick

Thanks @paul78! I'll watch it. I guess the old OSI Layer 8, humans, is the hardest to work with.

p.s. that didn't help.