Cybersecurity Law Casebook
Robert Chesney teaches cybersecurity at the University of Texas School of Law. He recently published a fantastic casebook, which is a good source for anyone studying this.
Comments
andrews • March 16, 2020 2:08 AM
Corporations should be required by law to design secure devices
I have seen precious little that would give me confidence that government would have competent regulators. Even well-intentioned regulators are hardly a given (consider FCC, EPA), and competent is harder to come by.
Then, too, how do you write a regulation that accomplishes this? Simply mandating that there will be no bugs seems rather optimistic. Requiring an update mechanism for a part that may be embedded in a server shipped to [remote country] or installed in a military base is also problematic.
I doubt that anything useful happens until someone manages to make out a case of negligence for some horrible flaw.
Subscribe to comments on this entry
Leave a comment
Sidebar photo of Bruce Schneier by Joe MacInnis.
Who? • March 10, 2020 4:28 AM
This casebook is an interesting reading for sure. We need regulators acting in support of customers (either individuals or business) but I guess it will never happen; hardware/software/firmware manufacturers should be required by law to provide security fixes for ten years at least; even twenty years for widely deployed products (e.g. microprocessors or the management engine (ME)). It does not make sense at all Intel withdrawing a “feature” like ME we cannot opt-out because it is four years old. It is a dangerous practice and should be banned. Corporations following these bad practices should be punished.
It does not make sense corporations like Intel withdrawing processors like the Core 2 series either instead of developing microcode to fix modern processor bugs. Corporations should be required by law to design secure devices, even if proven vulnerable at a later stage.
I think an EPA-like agency will not be helpful to achieve this goal.