Hi Rodney,

Neil gave a great response around the commercial aspects of software development, differentiation and what you can do as a consumer to show you disapproval.

A business or govenrment can set policies to disallow certain software or systems within their organization but they may have to deal with “fair competition” laws or issues. The US and Austrailian governments have disallowed Huawei equipment from being placed in their national or defense networks. Many business have chosen to standardize on Linux mainly because of licensing costs but they paid a substantial amount for training, support, integration and interoperability. The high-tech and systems integrator type companies do well at adopting many operating systems into their organizations because they use the experience as a learning platform as to what to expect with their customers.

Every system has vulnerabilities: Unix, Linux, Windows, Macintosh, Mainframes and PDA type devices. The ways they are attacked or “infiltrated” are different for each platform and range from social engineering to specific code being written to compromise a system. Microsoft listened to the market and released a product to address most of the security concerns of government, business and the public at large. This product is Microsoft Windows Vista. A name that will eventually fade away like Windows ME. Why? Because consumers rejected it stating that it was annoying and too restrictive.

Most systems have a “systems administrator” account and everyone else is created with a “user account” as this will minimize the exposure of the system to many vulnerabilities. How do we use our Windows machines? I will take the position to say with the Administrator account and not the user accounts but yet people complain that the system is vulnerable. Just remember that in the past the target systems were Unix and Mainframe based and the terms used were corporate espionage or sabotage. Windows is just the flavour of the decade. Let’s see which system is next.

Garfield

Thank you for the response here. I do think that jurisdiction plays an important role where cyber crimes are concerned as often the attacker and the victim are not in the same jurisdiction hence the need for formal corporation with outside agencies.

I believe that while cybercrime legislation can be beneficial, it can also prove to me somewhat worthless if not executed right and in concert with a number of other integral pieces of the response to online attacks. What most often happens is that fragmentation occurs where regional trade blocs or economic cooperation partnerships do not harmonise their legislative instruments, resulting in the inability to enforce their laws when crimes are conducted in other international jurisdictions. Additionally, in the absence of CERTs and CSIRTs, cybercrimes are not even prevented, detected or corrected in a sufficiently effective manner. Local police needs to have formalized relationships with the FBI, Interpol and other agencies. Information needs to be constantly exchanged and agreements ought to be in place for extradition or local prosecution (whatever the case may be). All too often, we create cybercrime laws in a very insular fashion, and end up with a document that ‘looks and feels’ good, but has no teeth (no enforcement authority).

Thanks Niel!

Thanks Garfield!

Rodney,

Given the environment in which software companies operate, there is no fiduciary agreement to develop software that’s absent of bugs. Commercial software is about development cycles, speed to market and profit dynamics. In this context, secure coding practices just aren’t the primary focus points for developers. The software industry is not a regulated one, so there is no basis for government to impose such policies. However, the self-regulation mechanisms inherent in the industry can serve to reach the ends to which you refer. For one, software manufacturers can differentiate their products by adhering to certain best practices and submitting their products to 3rd party testing and validation before they reach market. Customers can also voice their disapproval by sending comments to manufacturers, and also by refusing to purchase products that have too many bugs or security weaknesses. As SaaS and cloud computing become more popular, I think we will see a paradigm shift towards more explicit trust relationships between providers and customers. There will simply be no other way to do business given the amplified risks associated with these platforms.

Hi Moni,

The Cyber Crime act seeks to emcompass all computer related crime whether on a network or not. The definitions given are very broad and the punishments and/or fines vary based on the type of crime, the results of the crime and the victim of the crime. There is also a provision for the Act to be reviewed two years after its commencement.

Regarding data breaches, there are no mandatory provisions, that I am aware of, to force an organization to report such breaches to the public. I know there is the Payment Card Industry (PCI) requirement for members to report or notify the PCI Security Standards Council of a breach. If it is found that the merchant, bank or financial entity did not report a breach, their credit or debit card transactions could be rejected.

Hence my comments around governance, compliance and the creation of an entity to capture, collate and disseminate the breach information.