Entries Tagged "economics of security"

Page 36 of 39

CardSystems Exposes 40 Million Identities

The personal information of over 40 million people has been hacked. The hack occurred at CardSystems Solutions, a company that processes credit card transactions. The details are still unclear. The New York Times reports that “data from roughly 200,000 accounts from MasterCard, Visa and other card issuers are known to have been stolen in the breach,” although 40 million were vulnerable. The theft was an intentional malicious computer hacking activity: the first in all these recent personal-information breaches, I think. The rest were accidental—backup tapes gone walkabout, for example—or social engineering hacks. Someone was after this data, which implies that’s more likely to result in fraud than those peripatetic backup tapes.

CardSystems says that they found the problem, while MasterCard maintains that they did; the New York Times agrees with MasterCard. Microsoft software may be to blame. And in a weird twist, CardSystems admitted they weren’t supposed to keep the data in the first place.

The official, John M. Perry, chief executive of CardSystems Solutions…said the data was in a file being stored for “research purposes” to determine why certain transactions had registered as unauthorized or uncompleted.

Yeah, right. Research = marketing, I’ll bet.

This is exactly the sort of thing that Visa and MasterCard are trying very hard to prevent. They have imposed their own security requirements on companies—merchants, processors, whoever—that deal with credit card data. Visa has instituted a Cardholder Information Security Program (CISP). MasterCard calls its program Site Data Protection (SDP). These have been combined into a single joint security standard, PCI, which also includes Discover, American Express, JCB, and Diners Club. (More on Visa’s PCI program.)

PCI requirements encompass network security, password management, stored-data encryption, access control, monitoring, testing, policies, etc. And the credit-card companies are backing these requirements up with stiff penalties: cash fines of up to $100,000, increased transaction fees, orand termination of the account. For a retailer that does most of its business via credit cards, this is an enormous incentive to comply.

These aren’t laws, they’re contractual business requirements. They’re not imposed by government; the credit card companies are mandating them to protect their brand.

Every credit card company is terrified that people will reduce their credit card usage. They’re worried that all of this press about stolen personal data, as well as actual identity theft and other types of credit card fraud, will scare shoppers off the Internet. They’re worried about how their brands are perceived by the public. And they don’t want some idiot company ruining their reputations by exposing 40 million cardholders to the risk of fraud. (Or, at least, by giving reporters the opportunity to write headlines like “CardSystems Solutions hands over 40M credit cards to hackers.”)

So independent of any laws or government regulations, the credit card companies are forcing companies that process credit card data to increase their security. Companies have to comply with PCI or face serious consequences.

Was CardSystems in compliance? They should have been in compliance with Visa’s CISP by 30 September 2004, and certainly they were in the highest service level. (PCI compliance isn’t required until 30 June 2005—about a week from now.) The reality is more murky.

After the disclosure of the security breach at CardSystems, varying accounts were offered about the company’s compliance with card association standards.

Jessica Antle, a MasterCard spokeswoman, said that CardSystems had never demonstrated compliance with MasterCard’s standards. “They were in violation of our rules,” she said.

It is not clear whether or when MasterCard intervened with the company in the past to insure compliance, but MasterCard said Friday that it had now given CardSystems “a limited amount of time” to do so.

Asked about compliance with Visa’s standards, a Visa spokeswoman, Rosetta Jones, said, “This particular processor was not following Visa’s security requirements when we found out there was a potential data compromise.”

Earlier, Mr. Perry of CardSystems said his company had been audited in December 2003 by an unspecified independent assessor and had received a seal of approval from the Visa payment associations in June 2004.

All of this demonstrates some limitations of any certification system. One, companies can take advantage of interpersonal and intercompany politics to get themselves special treatment with respect to the policies. And two, all audits rely to a great extent on self-assessment and self-disclosure. If a company is willing to lie to an auditor, it’s unlikely that it will get caught.

Unless they get really caught, like this incident.

Self-reporting only works if the punishment exceeds the crime. The reason people accurately declare what they bring into the country on their customs forms, for example, is because the penalties for lying are far more expensive than paying any duty owed.

If the credit card industry wants their PCI requirements taken seriously, they need to make an example out of CardSystems. They need to revoke whatever credit card processing license CardSystems has, to the maximum extent possible by whatever contracts they have in place. Only by making CardSystems a demonstration of what happens to someone who doesn’t comply will everyone else realize that they had better comply.

(CardSystems should also face criminal prosecution, but that’s unlikely in today’s business-friendly political environment.)

I have great hopes for PCI. I like security solutions that involve contracts between companies more than I like government intervention. Often the latter is required, but the former is more effective. Here’s PCI’s chance to demonstrate their effectiveness.

Posted on June 23, 2005 at 8:55 AMView Comments

Organized Retail Theft

There are two distinct shoplifting threats: petty shoplifting and Organized Retail Theft.

Organized retail theft (ORT) is a growing problem throughout the United States, affecting a wide-range of retail establishments, including supermarkets, chain drug stores, independent pharmacies, mass merchandisers, convenience stores, and discount operations. It has become the most pressing security problem confronting retailers. ORT losses are estimated to run as high as $15 billion annually in the supermarket industry alone ­ and $34 billion across all retail. ORT crime is separate and distinct from petty shoplifting in that it involves professional theft rings that move quickly from community to community and across state lines to steal large amounts of merchandise that is then repackaged and sold back into the marketplace. Petty shoplifting, as defined, is limited to items stolen for personal use or consumption.

Their list of 50 most shoplifted items consists of small, expensive things with long shelf life: over-the-counter drugs, mostly.

#1 Advil tablet 50 ct

#2 Advil tablet 100 ct

#3 Aleve caplet 100 ct

#4 EPT Pregnancy Test single

#5 Gillette Sensor 10 ct

#6 Kodak 200 24 exp

#7 Similac w/iron powder – case

#8 Similac w/iron powder – single can

#9 Preparation H 12 ct

#10 Primatene tablet 24 ct

Found on BoingBoing.

Posted on June 22, 2005 at 1:06 PMView Comments

Billions Wasted on Anti-Terrorism Security

Recently there have been a bunch of news articles about how lousy counterterrorism security is in the United States, how billions of dollars have been wasted on security since 9/11, and how much of what was purchased doesn’t work as advertised.

The first is from the May 8 New York Times (available at the website for pay, but there are copies here and here):

After spending more than $4.5 billion on screening devices to monitor the nation’s ports, borders, airports, mail and air, the federal government is moving to replace or alter much of the antiterrorism equipment, concluding that it is ineffective, unreliable or too expensive to operate.

Many of the monitoring tools—intended to detect guns, explosives, and nuclear and biological weapons—were bought during the blitz in security spending after the attacks of Sept. 11, 2001.

In its effort to create a virtual shield around America, the Department of Homeland Security now plans to spend billions of dollars more. Although some changes are being made because of technology that has emerged in the last couple of years, many of them are planned because devices currently in use have done little to improve the nation’s security, according to a review of agency documents and interviews with federal officials and outside experts.

From another part of the article:

Among the problems:

  • Radiation monitors at ports and borders that cannot differentiate between radiation emitted by a nuclear bomb and naturally occurring radiation from everyday material like cat litter or ceramic tile.
  • Air-monitoring equipment in major cities that is only marginally effective because not enough detectors were deployed and were sometimes not properly calibrated or installed. They also do not produce results for up to 36 hours—long after a biological attack would potentially infect thousands of people.
  • Passenger-screening equipment at airports that auditors have found is no more likely than before federal screeners took over to detect whether someone is trying to carry a weapon or a bomb aboard a plane.
  • Postal Service machines that test only a small percentage of mail and look for anthrax but no other biological agents.

The Washington Post had a series of articles. The first lists some more problems:

  • The contract to hire airport passenger screeners grew to $741 million from $104 million in less than a year. The screeners are failing to detect weapons at roughly the same rate as shortly after the attacks.
  • The contract for airport bomb-detection machines ballooned to at least $1.2 billion from $508 million over 18 months. The machines have been hampered by high false-alarm rates.
  • A contract for a computer network called US-VISIT to screen foreign visitors could cost taxpayers $10 billion. It relies on outdated technology that puts the project at risk.
  • Radiation-detection machines worth a total of a half-billion dollars deployed to screen trucks and cargo containers at ports and borders have trouble distinguishing between highly enriched uranium and common household products. The problem has prompted costly plans to replace the machines.

The second is about border security.

And more recently, a New York Times article on how lousy port security is.

There are a lot of morals here: the problems of believing companies that have something to sell you, the difficulty of making technological security solutions work, the problems with making major security changes quickly, the mismanagement that comes from any large bureaucracy like the DHS, and the wastefulness of defending potential terrorist targets instead of broadly trying to deal with terrorism.

Posted on June 3, 2005 at 8:17 AMView Comments

Holding Computer Files Hostage

This one has been predicted for years. Someone breaks into your network, encrypts your data files, and then demands a ransom to hand over the key.

I don’t know how the attackers did it, but below is probably the best way. A worm could be programmed to do it.

1. Break into a computer.

2. Generate a random 256-bit file-encryption key.

3. Encrypt the file-encryption key with a common RSA public key.

4. Encrypt data files with the file-encryption key.

5. Wipe data files and file-encryption key.

6. Wipe all free space on the drive.

7. Output a file containing the RSA-encrypted, file encryption key.

8. Demand ransom.

9. Receive ransom.

10. Receive encrypted file-encryption key.

11. Decrypt it and send it back.

In any situation like this, step 9 is the hardest. It’s where you’re most likely to get caught. I don’t know much about anonymous money transfer, but I don’t think Swiss bank accounts have the anonymity they used to.

You also might have to prove that you can decrypt the data, so an easy modification is to encrypt a piece of the data with another file-encryption key so you can prove to the victim that you have the RSA private key.

Internet attacks have changed over the last couple of years. They’re no longer about hackers. They’re about criminals. And we should expect to see more of this sort of thing in the future.

Posted on May 30, 2005 at 8:18 AMView Comments

Massive Data Theft

During a time when large thefts of personal data are dime-a-dozen, this one stands out.

What is thought to be the largest U.S. banking security breach in history has gotten even bigger.

The number of bank accounts accessed illegally by a New Jersey cybercrime ring has grown to 676,000, according to police investigators. That’s up from the initial estimate of 500,000 accounts police said last month had been breached.

Hackensack, N.J., police Det. Capt. Frank Lomia said today that an additional 176,000 accounts were found by investigators who have been probing the ring for several months. All 676,000 consumer accounts involve New Jersey residents who were clients at four different banks, he said.

Even before the latest account tally was made public, the U.S. Department of the Treasury labeled the incident the largest breach of banking security in the U.S. to date.

The case has already led to criminal charges against nine people, including seven former employees of the four banks. The crime ring apparently accessed the data illegally through the former bank workers. None of those employees were IT workers, police said.

One amazing thing about the story is how manual the process was.

The suspects pulled up the account data while working inside their banks, then printed out screen captures of the information or wrote it out by hand, Lomia said. The data was then provided to a company called DRL Associates Inc., which had been set up as a front for the operation. DRL advertised itself as a deadbeat-locator service and as a collection agency, but was not properly licensed for those activities by the state, police said.

And I’m not really sure out what the data was stolen for:

The information was then allegedly sold to more than 40 collection agencies and law firms, police said.

Is collections that really big an industry?

Edited to add: Here is some good commentary by Adam Fields.

Posted on May 24, 2005 at 8:49 AMView Comments

Surveillance Cameras in U.S. Cities

From EPIC:

The Department of Homeland Security (DHS) has requested more than $2 billion to finance grants to state and local governments for homeland security needs. Some of this money is being used by state and local governments to create networks of surveillance cameras to watch over the public in the streets, shopping centers, at airports and more. However, studies have found that such surveillance systems have little effect on crime, and that it is more effective to place more officers on the streets and improve lighting in high-crime areas. There are significant concerns about citizens’ privacy rights and misuse or abuse of the system. A professor at the University of Nevada at Reno has alleged that the university used a homeland security camera system to surreptitiously watch him after he filed a complaint alleging that the university abused its research animals. Also, British studies have found there is a significant danger of racial discrimination and stereotyping by those monitoring the cameras.

Posted on May 16, 2005 at 9:00 AMView Comments

Combating Spam

Spam is back in the news, and it has a new name. This time it’s voice-over-IP spam, and it has the clever name of “spit” (spam over Internet telephony). Spit has the potential to completely ruin VoIP. No one is going to install the system if they’re going to get dozens of calls a day from audio spammers. Or, at least, they’re only going to accept phone calls from a white list of previously known callers.

VoIP spam joins the ranks of e-mail spam, Usenet newsgroup spam, instant message spam, cell phone text message spam, and blog comment spam. And, if you think broadly enough, these computer-network spam delivery mechanisms join the ranks of computer telemarketing (phone spam), junk mail (paper spam), billboards (visual space spam), and cars driving through town with megaphones (audio spam). It’s all basically the same thing—unsolicited marketing messages—and only by understanding the problem at this level of generality can we discuss solutions.

In general, the goal of advertising is to influence people. Usually it’s to influence people to purchase a product, but it could just as easily be to influence people to support a particular political candidate or position. Advertising does this by implanting a marketing message into the brain of the recipient. The mechanism of implantation is simply a tactic.

Tactics for unsolicited marketing messages rise and fall in popularity based on their cost and benefit. If the benefit is significant, people are willing to spend more. If the benefit is small, people will only do it if it is cheap. A 30-second prime-time television ad costs 1.8 cents per adult viewer, a full-page color magazine ad about 0.9 cents per reader. A highway billboard costs 0.21 cents per car. Direct mail is the most expensive, at over 50 cents per third-class letter mailed. (That’s why targeted mailing lists are so valuable; they increase the per-piece benefit.)

Spam is such a common tactic not because it’s particularly effective; the response rates for spam are very low. It’s common because it’s ridiculously cheap. Typically, spammers charge less than a hundredth of a cent per e-mail. (And that number is just what spamming houses charge their customers to deliver spam; if you’re a clever hacker, you can build your own spam network for much less money.) If it is worth $10 for you to successfully influence one person—to buy your product, vote for your guy, whatever—then you only need a 1 in a 100,000 success rate. You can market really marginal products with spam.

So far, so good. But the cost/benefit calculation is missing a component: the “cost” of annoying people. Everyone who is not influenced by the marketing message is annoyed to some degree. The advertiser pays a partial cost for annoying people; they might boycott his product. But most of the time he does not, and the cost of the advertising is paid by the person: the beauty of the landscape is ruined by the billboard, dinner is disrupted by a telemarketer, spam costs money to ship around the Internet and time to wade through, etc. (Note that I am using “cost” very generally here, and not just monetarily. Time and happiness are both costs.)

This is why spam is so bad. For each e-mail, the spammer pays a cost and receives benefit. But there is an additional cost paid by the e-mail recipient. But because so much spam is unwanted, that additional cost is huge—and it’s a cost that the spammer never sees. If spammers could be made to bear the total cost of spam, then its level would be more along the lines of what society would find acceptable.

This economic analysis is important, because it’s the only way to understand how effective different solutions will be. This is an economic problem, and the solutions need to change the fundamental economics. (The analysis is largely the same for VoIP spam, Usenet newsgroup spam, blog comment spam, and so on.)

The best solutions raise the cost of spam. Spam filters raise the cost by increasing the amount of spam that someone needs to send before someone will read it. If 99% of all spam is filtered into trash, then sending spam becomes 100 times more expensive. This is also the idea behind white lists—lists of senders a user is willing to accept e-mail from—and blacklists: lists of senders a user is not willing to accept e-mail from.

Filtering doesn’t just have to be at the recipient’s e-mail. It can be implemented within the network to clean up spam, or at the sender. Several ISPs are already filtering outgoing e-mail for spam, and the trend will increase.

Anti-spam laws raise the cost of spam to an intolerable level; no one wants to go to jail for spamming. We’ve already seen some convictions in the U.S. Unfortunately, this only works when the spammer is within the reach of the law, and is less effective against criminals who are using spam as a mechanism to commit fraud.

Other proposed solutions try to impose direct costs on e-mail senders. I have seen proposals for e-mail “postage,” either for every e-mail sent or for every e-mail above a reasonable threshold. I have seen proposals where the sender of an e-mail posts a small bond, which the receiver can cash if the e-mail is spam. There are other proposals that involve “computational puzzles”: time-consuming tasks the sender’s computer must perform, unnoticeable to someone who is sending e-mail normally, but too much for someone sending e-mail in bulk. These solutions generally involve re-engineering the Internet, something that is not done lightly, and hence are in the discussion stages only.

All of these solutions work to a degree, and we end up with an arms race. Anti-spam products block a certain type of spam. Spammers invent a tactic that gets around those products. Then the products block that spam. Then the spammers invent yet another type of spam. And so on.

Blacklisting spammer sites forced the spammers to disguise the origin of spam e-mail. People recognizing e-mail from people they knew, and other anti-spam measures, forced spammers to hack into innocent machines and use them as launching pads. Scanning millions of e-mails looking for identical bulk spam forced spammers to individualize each spam message. Semantic spam detection forced spammers to design even more clever spam. And so on. Each defense is met with yet another attack, and each attack is met with yet another defense.

Remember that when you think about host identification, or postage, as an anti-spam measure. Spammers don’t care about tactics; they want to send their e-mail. Techniques like this will simply force spammers to rely more on hacked innocent machines. As long as the underlying computers are insecure, we can’t prevent spammers from sending.

This is the problem with another potential solution: re-engineering the Internet to prohibit the forging of e-mail headers. This would make it easier for spam detection software to detect spamming IP addresses, but spammers would just use hacked machines instead of their own computers.

Honestly, there’s no end in sight for the spam arms race. Even so, spam is one of computer security’s success stories. The current crop of anti-spam products work. I get almost no spam and very few legitimate e-mails end up in my spam trap. I wish they would work better—Crypto-Gram is occasionally classified as spam by one service or another, for example—but they’re working pretty well. It’ll be a long time before spam stops clogging up the Internet, but at least we don’t have to look at it.

Posted on May 13, 2005 at 9:47 AMView Comments

Phishing and Identity Theft

I’ve already written about identity theft, and have said that the real problem is fraudulent transactions. This essay says much the same thing:

So, say your bank uses a username and password to login to your account. Conventional wisdom (?) says that you need to prevent the bad guys from stealing your username and password, right? WRONG! What you are trying to prevent is the bad guys STEALING YOUR MONEY. This distinction is very important. If you have an account with $0 dollars in it, which you never use, what does it matter if someone knows the access details? Your username and password are only valuable insofar as the bank allows anyone who knows them to take your money. And therein lies the REAL problem. The bank is too lazy (or incompetent) to do what Bruce Schneier describes as “authenticate the transaction, not the person”. While it is incredibly difficult to prevent the bad guys from stealing access credentials (especially with browsers like Internet Explorer around), it is actually much simpler to prevent your money disappearing off to some foreign country….

When something goes wrong, the bank will tell you that you “authorised” the transaction, where in fact the party who ultimately “authorised” it is the bank, based on the information they chose to take as evidence that this transaction is the genuine desire of a legitimate customer.

The essay provides some recommendations as well.

  • Restrict IP addresses outside Australia
  • Restrict odd times of day (or at least be more vigilant)
  • Set cookies to identify machines
  • Record IP usually used
  • Record times of day usually accessed
  • Record days of week/month
  • Send emails when suspicious activity is detected
  • Lock accounts when fraud is suspected
  • Introduce a delay in transfers out—for suspicious amounts, longer
  • Make care proportional to risk
  • Define risk relative to customer, not bank

These are good ideas, but need more refinement in the specifics. But they’re a great start, and banks would do well to pay attention to them.

Posted on May 10, 2005 at 4:24 PMView Comments

REAL ID

The United States is getting a national ID card. The REAL ID Act (text of the bill and the Congressional Research Services analysis of the bill) establishes uniform standards for state driver’s licenses, effectively creating a national ID card. It’s a bad idea, and is going to make us all less safe. It’s also very expensive. And it’s all happening without any serious debate in Congress.

I’ve already written about national IDs. I’ve written about the fallacies of identification as a security tool. I’m not going to repeat myself here, and I urge everyone who is interested to read those two essays (and even this older essay). A national ID is a lousy security trade-off, and everyone needs to understand why.

Aside from those generalities, there are specifics about REAL ID that make for bad security.

The REAL ID Act requires driver’s licenses to include a “common machine-readable technology.” This will, of course, make identity theft easier. Assume that this information will be collected by bars and other businesses, and that it will be resold to companies like ChoicePoint and Acxiom. It actually doesn’t matter how well the states and federal government protect the data on driver’s licenses, as there will be parallel commercial databases with the same information.

Even worse, the same specification for RFID chips embedded in passports includes details about embedding RFID chips in driver’s licenses. I expect the federal government will require states to do this, with all of the associated security problems (e.g., surreptitious access).

REAL ID requires that driver’s licenses contain actual addresses, and no post office boxes. There are no exceptions made for judges or police—even undercover police officers. This seems like a major unnecessary security risk.

REAL ID also prohibits states from issuing driver’s licenses to illegal aliens. This makes no sense, and will only result in these illegal aliens driving without licenses—which isn’t going to help anyone’s security. (This is an interesting insecurity, and is a direct result of trying to take a document that is a specific permission to drive an automobile, and turning it into a general identification device.)

REAL ID is expensive. It’s an unfunded mandate: the federal government is forcing the states to spend their own money to comply with the act. I’ve seen estimates that the cost to the states of complying with REAL ID will be $120 million. That’s $120 million that can’t be spent on actual security.

And the wackiest thing is that none of this is required. In October 2004, the Intelligence Reform and Terrorism Prevention Act of 2004 was signed into law. That law included stronger security measures for driver’s licenses, the security measures recommended by the 9/11 Commission Report. That’s already done. It’s already law.

REAL ID goes way beyond that. It’s a huge power-grab by the federal government over the states’ systems for issuing driver’s licenses.

REAL ID doesn’t go into effect until three years after it becomes law, but I expect things to be much worse by then. One of my fears is that this new uniform driver’s license will bring a new level of “show me your papers” checks by the government. Already you can’t fly without an ID, even though no one has ever explained how that ID check makes airplane terrorism any harder. I have previously written about Secure Flight, another lousy security system that tries to match airline passengers against terrorist watch lists. I’ve already heard rumblings about requiring states to check identities against “government databases” before issuing driver’s licenses. I’m sure Secure Flight will be used for cruise ships, trains, and possibly even subways. Combine REAL ID with Secure Flight and you have an unprecedented system for broad surveillance of the population.

Is there anyone who would feel safer under this kind of police state?

Americans overwhelmingly reject national IDs in general, and there’s an enormous amount of opposition to the REAL ID Act. This is from the EPIC page on REAL ID and National IDs:

More than 600 organizations have expressed opposition to the Real ID Act. Only two groups—Coalition for a Secure Driver’s License and Numbers USA—support the controversial national ID plan. Organizations such as the American Association of Motor Vehicle Administrators, National Association of Evangelicals, American Library Association, Association for Computing Machinery (pdf), National Council of State Legislatures, American Immigration Lawyers Association (pdf), and National Governors Association are among those against the legislation.

And this site is trying to coordinate individual action against the REAL ID Act, although time is running short. It’s already passed in the House, and the Senate votes tomorrow.

If you haven’t heard much about REAL ID in the newspapers, that’s not an accident. The politics of REAL ID is almost surreal. It was voted down last fall, but has been reintroduced and attached to legislation that funds military actions in Iraq. This is a “must-pass” piece of legislation, which means that there has been no debate on REAL ID. No hearings, no debates in committees, no debates on the floor. Nothing.

Near as I can tell, this whole thing is being pushed by Wisconsin Rep. Sensenbrenner primarily as an anti-immigration measure. The huge insecurities this will cause to everyone else in the United States seem to be collateral damage.

Unfortunately, I think this is a done deal. The legislation REAL ID is attached to must pass, and it will pass. Which means REAL ID will become law. But it can be fought in other ways: via funding, in the courts, etc. Those seriously interested in this issue are invited to attend an EPIC-sponsored event in Washington, DC, on the topic on June 6th. I’ll be there.

Posted on May 9, 2005 at 9:06 AM

New U.S. Government Cybersecurity Position

From InfoWorld:

The Department of Homeland Security Cybersecurity Enhancement Act, approved by the House Subcommittee on Economic Security, Infrastructure Protection and Cybersecurity, would create the position of assistant secretary for cybersecurity at DHS. The bill, sponsored by Representatives Mac Thornberry, a Texas Republican, and Zoe Lofgren, a California Democrat, would also make the assistant secretary responsible for establishing a national cybersecurity threat reduction program and a national cybersecurity training program….

The top cybersecurity official at DHS has been the director of the agency’s National Cyber Security Division, a lower-level position, and technology trade groups for several months have been calling for a higher-level position that could make cybersecurity a higher priority at DHS.

Sadly, this isn’t going to amount to anything. Yes, it’s good to have a higher-level official in charge of cybersecurity. But responsibility without authority doesn’t work. A bigger bully pulpit isn’t going to help without a coherent plan behind it, and we have none.

The absolute best thing the DHS could do for cybersecurity would be to coordinate the U.S. government’s enormous purchasing power and demand more secure hardware and software.

Here’s the text of the act, if anyone cares.

Posted on May 6, 2005 at 8:05 AMView Comments

1 34 35 36 37 38 39

Sidebar photo of Bruce Schneier by Joe MacInnis.