Privacy & Security Public Sector Is government regulation the way to blunt DDoS attacks? Howard Solomon @HowardITWC Published: November 8th, 2016Government regulation is a sticky issue in any industry, perhaps even more in cyber security. Every time the government creates a rule or an obligation, goes the argument, it merely opens a hole to be exploited. Exhibit number one is the call for makers of any product with encryption to create a secure back door police and intelligence agencies can use to de-crypt possibly criminal communications.Of course there’s no such thing as an absolutely secure back door, so it will end up being used by criminals or nation states.I raise this because last week security expert Bruce Schneier again raised the issue of whether governments should step in to help give more protection against distributed denial of service DDoS attacks.It’s easy for attackers to build powerful DDoS botnets that leverage insecure Internet connected devices like consumer webcams, he argues, the most recent of which was the attack last month on U.S. domain name service provider Dyn Inc., which temporarily impaired the ability of a number of online businesses including Twitter. Related Articles Ontario literacy test abandoned due to DDoS attackThere's no shortage of conspiracy theories when it comes to guessing who's behind cyber attacks. So when it was announced... October 27th, 2016 Howard Solomon @HowardITWC Worry more about small app layer DDoS attacks than huge network blasts, says Canadian vendorMassive distributed denial of service (DDoS) attacks have been grabbing headlines recently, with cyber security reporter Brian Krebs being forced... October 4th, 2016 Howard Solomon @HowardITWC It doesn’t matter, Schneier argues, if DDoS attacks are state-based or not. The fact the software is so easily available to their build a botnot or buy it as a service that can pour 1 TB and more of data at a target is the threat.“The market can’t fix this because neither the buyer nor the seller cares,” he has written. One logical place to block DDoS attacks is on the Internet backbone, he says, but providers have no incentive to do it because “they don’t feel the pain when the attacks occur and they have no way of billing for the service when they provide it.”So when the market can’t provide discipline, Schneier says, government should. He offers two suggestions:–impose security regulations on manufacturers, forcing them to make their devices secure;–impose liabilities on manufacturers of insecure Internet connected devices, allowing victims to sue them.Either one of these would raise the cost of insecurity and give companies incentives to spend money making their devices secure, he argues.I’m not sure. For one thing litigation is a long and expensive process. How do I sue a company headquartered in another country (say, China) that sells devices used by a person in a third country (say, Brazil) which is part of a botnet assembled by a person in another country (say, the U.S.) used to attack me in Canada?There’s also the problem of defining secure. What can a manufacturer do if it forces creation a long password for a device, but users insist on insecure passwords (like “password123456879.”)Still, we need to discuss short-term solutions because, as Schneier points out, with the huge number of insecure Internet connected devices out there the DDoS problem is only going to get worse.Let us know what you think in the comments section below. Related Download Sponsor: CanadianCIO Cybersecurity Conversations with your Board – A Survival Guide A SURVIVAL GUIDE BY CLAUDIO SILVESTRI, VICE-PRESIDENT AND CIO, NAV CANADA Download Now Privacy & Security, Public Sector DDoS, security strategies
