Indeed; Software Engineering and IT Admin need to be professionalized, in the sense that both individual practitioners and institutions take personal legal responsibility for the systems they implement.
But also, gross negligence doesn't justify criminal trespass. You can't walk into someone's home and touch all their stuff just because they left their front door open.
That is going to be very hard to do given that in most companies IT Admins and even software devs are not really in control to make security and other choices, we present options to business leaders who make the choice.
My guess that if you look at the vast majority of security incidents it is not due to negligence on the part of an IT Worker but instead due the business choices to prioritize some new feature, or performance, or anything else over security.
If you put the liability on the head if the IT guy/gal who has been saying "hey that system is insecure" only to be ignored by the business well that is a real good way worsen the shortage in qualified people.
I sure as hell am not going to assume legal liability over systems I do not really have control over.
> I sure as hell am not going to assume legal liability over systems I do not really have control over.
That’s pretty much the goal, isn’t it? If everyone refuses to do the work without sufficient control, then power should shift accordingly (and your peers who continue to accept responsibility without control will eventually be eliminated from the system…).
That is, the choice of security vs other priorities shouldn’t exist for certain classes of business/data, and sysadmins shouldn’t be doing that work without sufficient authority.
The world is never that simple, and to put that simplistic lens on it will be a net negative.
These types of regulatory burdens further serve to consolidate the world in the large corporations as they are the only ones that have the resources to either navigate them, or pay for loop holes to them for their particular business.
The unintended consequences from that would be far worse than the security issues you hope to address
If an architect designs a building that’s unsafe, they get serious consequences.
If they design one that’s safe and the company ignores the design, doesn’t maintain it correctly, it’s the companies fault.
From the article, both the architecture and the operation of the network was wrong - to the point that a kid in his bedroom could kill people with it.
KPN and the judges asserted this network design and operation was a serious threat to human life. At the very least the health and safety authority should be shutting it down and arresting those responsible, and the CEO, CTO and CISO could then show how they weren’t responsible.
Accreditation and associated liability change this power dynamic. The struggle doesn't go away, but the dynamics do change. See how civil engineering works, for example.
Its not that hard, its up to the personnel to inform the company, and the company is liable. The book should be thrown twice as hard at a company which fails to acknowledge said IT. There is already SOX audit, and several others with clearly established rules and repercussions
You are at odds with both the Parent comment, and the other people have that replied
They are not talking about holding the companies responsible, they are wanting to establish standard of government licensure similar to that of a Doctor, or Civil Engineer, there by making the INDIVIDUAL responsible not the company.
Yeah, the odds being there is no point to holding an individual accountable, due to the reasons the comment I relied to.
Especially when there are already systems in place which would solve the issue much easier. All parent will do is institute more government organizations and insurance
> You can't walk into someone's home and touch all their stuff just because they left their front door open.
There's a few big differences here: (1) the "someone" is a company with $7B/yr in revenue and dedicated security resources, also (2) with millions of users relying on their doing an Ok job securing the "home", and (3) which is connected to a network immediately accessible to anyone from bored teenagers all over the world to organized criminals and nation states looking to harm their users' interests. If a random script kiddie can find this hole by accident, how many determined teams with even minor budgets were accessing their network? Spooking KPN's security team into action was a mitzvah all around, even if he did not with whole heart and mind intend it as such [1].
More generally, the story this reminded me of most is that of Aaron Schwartz -- it's a true sadness that our societies deal so poorly with analytically developed folks' efforts being even slightly mis-applied by some fiendish letter-of-the-law measure and otherwise "good" people entrusted to exhibit moral judgement seem to go into a frothing-at-the-mouth attack against those who literally did no harm to groups that are supposedly being protected (scientific publishing / ISP users). I'm not sure if there is a theory of law by which a more-global net-good can completely outweigh more-local crimes, but it seems a society that were to allow for that would be both more successful and just.
But also, gross negligence doesn't justify criminal trespass. You can't walk into someone's home and touch all their stuff just because they left their front door open.