Don't mandate them, just mandate that if you use known-deficient practices you're presumed negligent if an incident occurs. Then issue some guidelines for known best practices and known bad practices, and make it clear that using something newer/better is fine, just not using something on the "known bad" list. (For instance, best practices are to use two-factor authentication with one component being physical security; one-factor with a password is known-bad.)

I'm not calling for regulation on general security outcomes. I'm talking specifically about access controls on sensitive and highly privileged systems that have ripple impacts to consumer security, which should already be obvious best practice.

I'm not assuming anything, I'm pointing out a failure of self-regulation given the TTPs listed in the original article, which are distinct from fully insider-supported attacks, should not happen.

There is obvious, direct, and destructive customer impact here.

Edit: actually I know people working in security roles for T-Mobile, and I am sure they or their sister teams are trying.

What point are you trying to make here? That T-mobile maybe needs to screen employees better? That compromises are inevitable and we just need to deal? That we shouldn't give out so much data to corporations?

> There's no law that just "makes security happen"

In another thread I proposed making white-hat hacking legally protected, even without permission from the company. If your system is constantly being tested by mostly white-hat hackers seeking their next responsible disclosure and bounty, then that's something.

Bug bounties already exist, but they're opt-in, and companies that need them the most are not opting-in. We also see the people who do things like press F12 get legally bullied[0].

Changing the laws to protect white-hats and responsible disclosure would help. This would be a law that "just makes security happen".

[0]: https://www.youtube.com/watch?v=lSsvzBV0tyI or https://arstechnica.com/tech-policy/2021/10/missouri-gov-cal...

Legalizing hacking seems like a large loophole that will backfire. Where is the line between white-hat and black-hat?

Did you download 10 gigabytes of personal data and sell it? Or did you responsibly report the vulnerability once it was apparent? There would have to be some guidelines and some attacks like DDoS might still be illegal, etc.

Certainly a risk of this proposal is that some black-hats would get away, but that is already happening, so it's not really a problem of this proposal. This law wont affect black-hats because they already operate outside the law.

The problem is nobody can investigate the security of a company without facing major legal risks. As I linked above, a researcher pressed F12 and next thing he knew the Governor was threatening to prosecute him, and that's just one example. I believe it is a felony if I want to investigate for myself how secure T-Mobile's systems are, because they have not explicitly invited me to do so.

About 10 years ago I was doing some web scraping and came across a website that was exposing PPI (SSNs and more) of thousands of people. It was in an API JSON response, the JavaScript only displayed part of the data though. I just closed the site and never touched it again. I'm not a security researcher, I don't know how to safely report what I saw. It all seems personally risky for little personal gain. So I closed the site and let it go. My attitude has long been that if society wants to offer me some strong legal protections then I'll do the right thing, otherwise, society can burn. Half the nation's personal data can get stolen twice a month, as is already the case. When society cares enough to do something about it maybe I'll change my attitude.

In the absence of legislation (and perhaps even if/when legislation is enacted), an effective approach would be to simply hold entities to a reasonableness standard and to seek relief/damages under a common law negligence theory in lieu of a regulatory/legislative enforcement mechanism. That way, what is considered to be the industry standard (ie reasonable) changes at the pace of technology. The weak link here is quantifying individuals' damages in breaches where there is no clear injury (such as what you have in the the Amazon/GoPro example described above).

Don't underestimate the value of checking all the security compliance check boxes. It solves what really matters - protecting executives from prosecution and/or being dragged in front of Congress to testify. <sarcasm off>

Seriously though, so long as cybersecurity insurance and "industry best practices checkbox management" is easier and/or cheaper than actual meaningful security measures, it will never be solved.

Worse, when a meaningful security measure that could actually make a difference collides with something in a best practices document, you know who will lose.

I'm not cynical at this point, no...

an executive or two in jail and we'll sure enough see security magically happen.

Should we throw the President in jail if the government gets breached?

no, of course not. (nice straw-man attempt, btw)

Just the way boards of companies have fiduciary duty, there should be some of sort customer information protection duty that companies are responsible / liable for. basic security practices are being neglected at far too many companies.

Really not trying to strawman. You literally said an executive or two should be thrown in jail if their organization was breached. So which government executive would you "throw in jail" if their organization was breached?

If he incited the breach, sure.

You’re forgetting an important aspect of making stuff like this law - accountability and recourse. Sure, laws won’t magically make security happen, but it will provide tools against companies that don’t follow outlined laws or regulations to suffer consequences for mishandling data. Companies shouldn’t just be “expected” to do the right thing, because often doing the right thing cuts into profits.

Regulations matter in order to make entities do the right thing when they have no other incentive to do so. They certainly aren't a panacea, but they also certainly can have positive effects.

> I would be fundamentally opposed to such a law because it turns security into a simple matter of compliance.

True, but that's better than effectively having no security at all.