Another Word For It Patrick Durusau on Topic Maps and Semantic Diversity

April 10, 2015

Incentives to be Cybersecure?

Filed under: Cybersecurity,Security — Patrick Durusau @ 4:14 pm

A year after its exposure, Heartbleed bug remains a serious threat (+video) by Joe Uchill.

From the post:


Venafi scanned publicly accessible servers and discovered that only 416 of the 2,000 companies listed on the Forbes Global 2000 – a ranking of the largest public companies in the world – have fully completed Heartbleed remediation. That’s a marginal improvement over the 387 companies that Venafi identified in a July survey as taking action to fix the bug.

Venafi report, Hearts Continue to Bleed: Heartbleed One Year Later.

You may also find this helpful, The Forbes Global 2000 list.

I don’t know which companies you want to help out by pointing out the IP addresses of vulnerable servers so I’ll leave generating the IP lists for individual companies as an exercise for you.

This is a good illustration of the lack of skin in the game by a majority of companies listed in the Forbes Global 2000 group. As we discussed in The reason companies don’t fix cybersecurity [Same reason software is insecure], companies have no incentives to practice cybersecurity. The Heartbleed vulnerability is an example of that principle at work.

Government moves to increase the level of cybersecurity?

“Blocking the Property of Certain Persons Engaging in Significant Malicious Cyber-Enabled Activities”, (drum roll), a executive order from President Obama.

Don’t you have that warm feeling from a real hug now? Feeling like your data is getting safer by the day!

If you have either of those feelings after reading that executive order, it may be time to call 911 because you have been off your meds for too long. 😉

Serious cyberhackers are hacking because they are being paid for their services or the content they obtain. Given the difficulty in identifying, locating and capturing serious cyberhackers, I am sure they are willing to take the risk, such as it is, generated by Obama’s executive order. As a matter of fact, I suspect cyberhackers recognize the purely media side effects of such an order. Something, an ineffectual something, but something, is being done about cybersecurity.

I understand that the President cannot be an expert in every field but he/she should have advisers who have access to experts in every field.

Assuming cyberhackers haven’t changed since the discovery of the Heartbleed vulnerability, guess who else hasn’t changed? Some one-thousand five-hundred and sixteen (1,516) of the Forbes Global 2000 group. If more than 3/4 of the Forbes Global 2000 group wants to go naked with regard to Heartbleed, that’s their choice. However, that choice means that your data, not just theirs, is at risk.

To put it another way, 3/4 of the Forbes Global 2000 group has made a decision that your data isn’t worth the cost of fixing the Heartbleed vulnerability.

Since influencing the behavior of cyberhackers seem a bridge too far, doesn’t it make sense to incentivize U.S. based members of the Forbes Global 2000 group and others to protect your data more effectively?

The current regimes of fines from some data breaches don’t appear to be sufficient incentives, in light of the evidence, to increase cybersecurity. If there were a real incentive to secure your data, more than 3/4 of the Forbes Global 2000 group that has fixed the Heartbleed vulnerability.

My suggestion: Increase the penalties for theft of consumer data and make the liability personal to everyone defined to be part of “management” by the National Labor Relations Board (NLRB) and proportionate to their compensation. The only out is for a member of management to have reported the cybersecurity issue to US-CERT before the breach for which a fine is being imposed.

Year to year, the GAO would hire out a survey of cyberinsecurities and based on the percentage of mitigation of known flaws, propose increases in the fines designed to encourage cybersecurity. The increases in fines take effect unless Congress votes by a 2/3 majority on both houses to change the proposed rate.

Cybersecurity is too complex for a fixed legislative or even a regulatory solution. American business has always prided itself on solving problems so let’s rely on their ingenuity once they have the proper incentives.

PS: I realize this would also increase business donations to congressional campaigns but 2/3 majorities in Congress appear to be few and far in between.

PPS: You will notice that be making the liabilities “personal” to management, that I have avoided diminishing the value of the company for its shareholders. Probably need to ban reinbursement agreements, insurance coverage, etc. for those fines as well. You can imagine that Jamie Dimon facing the prospect of spending his retirement years in a Bronx homeless shelter would have a great incentive to improve cybersecurity at JPMorgan Chase.

No Comments

No comments yet.

RSS feed for comments on this post.

Sorry, the comment form is closed at this time.

Powered by WordPress