Should there be federal ordinances in place for cybersecurity threats where the affected organization is billed for the shutdown?

1.8k views2 Upvotes7 Comments

Member Board of Directors in Finance (non-banking), 201 - 500 employees
I don't think it's unreasonable for the government to create strict guardrails to regulate cybersecurity and say “This is not acceptable. You must take action and, if you don't, we'll do it for you and send you a bill.” For example, if you don't cut your lawn in Saratoga you'll get a letter. If you continue without mowing your lawn—creating blight in Saratoga—you'll get a second letter. And then the third time they will come and use a service to cut your lawn. And for the cost of that service they will put a lien on your house. It's an ordinance. It’s invasive.
Board Member, Advisor, Executive Coach in Software, Self-employed
There should be some level of a federal ordinance on which the government can take action if you're posing a risk to others, even in the logical sense. And, if warranted, they should be able to take the systems down or offline so you're not damaging others.
1 1 Reply
Managing Partner & CISO in Software, 11 - 50 employees

But if we accept that level of government interference, we quickly reach the point where they can say, “We think that you haven't patched your systems in a while. You're at a risk so we're going to take your company down.” It's a super slippery slope. An ordinance follows policy and law; the FBI action that happened in April was a judge’s subpoena. I would be surprised if they had coordinated with private sector cybersecurity leaders on any of it.

Senior Director, Defense Programs in Software, 5,001 - 10,000 employees
If I read this right, it’s asking if victims of a cybersecurity incident should be billed for impacts of shutting down?

Broadly, no.

There are additional rules around trade, privacy, etc that make sense that could apply here, as well as ones in regulated industries.
Senior Information Security Manager in Software, 501 - 1,000 employees
This opens a Pandora’s Box. 

Does the fire department bill people who should have been more careful with kitchen fires?

No insurance coverage to obese patients?

Police department not show up to those who didn’t have good locks?
1 2 Replies
Senior Director, Defense Programs in Software, 5,001 - 10,000 employees

When you frame it that way, it does sound more plausible that this could happen. Policies do each of those things in some cases, mostly by racist design, but otherwise simply for profit.

Principal Information Security Officer in Education, 10,001+ employees

Private fire departments (before municipalities had public fire depts) definitely charged homeowners and businesses to put out their fires.

This article from ABC News in 2010 documented a trend to begin to charge and bill for firefighting service in some locations:

Also, from Wikipedia, the free encyclopedia:
Jump to navigation
Jump to search

"In the United States, an emergency response fee, also known as fire department charge, fire department service charge, accident response fee,[1][2] accident fee,[3] Traffic Infraction Accident Fee,[4] ambulance fee,[5] etc., and pejoratively as a crash tax[6] is a fee for emergency services such as firefighting, emergency medical services, environmental response, etc., performed by a local fire department, EMTs, police department, etc., at the scene of a structure fire, wildfire, traffic collision, or other emergency, billed afterward to the surviving property owner or owner(s), operator(s) of the vehicle(s) involved, and/or their insurance companies."

"Many states and localities have approved these fees. Many states and localities prohibit these fees.[7]"

"Some fire departments charge small and large fees for firefighting.[8] Some bill the survivors, some bill the insurance companies of the survivors.[9]"

"Some fire departments charge an advance fire subscription fee for fire protection. They often do not fight fires that are not covered, refusing offers of back payment.[10][11]"

"The fees are controversial, with multiple arguments for and against.[12"

[ ]


Content you might like

CTO in Software, 201 - 500 employees
Without a doubt - Technical Debt! It's a ball and chain that creates an ever increasing drag on any organization, stifles innovation, and prevents transformation.
Read More Comments
40.7k views131 Upvotes319 Comments

Patch management: to reduce attack surface and avoid system misconfigurations39%

Malware and ransomware prevention: to protect endpoints from social engineering attacks58%

Malware and fileless malware detection and response: to protect against malicious software49%

Threat Hunting: to detect unknown threats that are acting or dormant in your environment and have bypassed the security controls33%

Not planning to change endpoint security strategy10%