It's a good direction but I wonder if it's strong enough. It acknowledges a lot of the problems in the current state of cybersecurity and effectively states "OK, we know this is a problem, we're going to do something about it."
But I wish they'd state exactly what they're going to do. Coming out with nominal fines for service owners and providers will just be chalked up as the cost of doing business. If a service like LastPass is going to be liable in the case of a data breach causing a consumer to be vulnerable but it's just a wrist slap, that just means prices shoot up without any necessary change on the provider.
It's one thing to acknowledge the issue, but being minimally invasive is worrying. If you're going to acknowledge that market forces have failed the consumer in your report, I hope your next step isn't going to be "hope the market is scared by scarecrows"
I love seeing this taken more seriously by the leadership.
We are not where we need to be, but this is the start of the solution.
As ransomware is a borderless challenge requiring international cooperation, the White House has convened the Counter-Ransomware Initiative (CRI) with participation from more than thirty countries.
The CRI has conducted global exercises to build resilience and launched an international counter ransomware task force... often coordinating disruption efforts.
Wouldn't it be great if we could take all the money lost to ransomware and spend it on the CRI? And in spook dept fashion, they quietly make the problem go away.
You just wake up one sunny morning and realize that malware isn't a problem anymore. Nobody says why. It just suddenly stops.
Strategic Objective 3.3 is my dream.
If a building collapses due to poor design the civil engineer who stamped off on the design is liable. If it collapses due to poor construction the contractor is liable.
When doctors screw up they may get sued, lose their license, and/or go to jail. When civil engineers screw up they may get sued, lose their license, and/or go to jail. When truck drivers screw up they may get sued, lose their license, and/or go to jail.
If a hair dresser screws up and nicks a customer's ear, he or she can lose their ability to ever cut hair again. If a liquor store sells to minors they can lose their liquor license and/or go to jail.
For some reason when programmers screw up they point at the EULA and say "lol get fucked" and then complain about how "programming is sooooooo hard and complicated" when any form of professional liability is proposed.
With software and related services, if an engineer uploads everyone's information to a publicly accessible S3 bucket and everyone's shit gets stolen "LoL our bad here's three months of credit monitoring and a settlement check for $22.43 two years after the fact".
"Your negligence and utter disregard for industry standard best practices led to tens of thousands of dollars in damages..." THE SOFTWARE IS PROVIDED “AS IS”, WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND... "but you fucked up the lives of hundreds of thousands of people" THE SOFTWARE IS PROVIDED “AS IS”, WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED.. "you can't just keep repeating that like a magical incantation" WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED... here's a check for $20 go away.
Too bad 3.3 will never happen in a million years...