That's a question Dice posed to several middle managers recently. "We paid a lot of money for this tech property, but we have absolutely no idea how to use it", said one Dice higher up who requested anonymity. "Seriously - help us out here! There are over three million Slashdot subscribers, but none of them will click on an ad!", he lamented. "And they won't come over to dice.com and discuss these stories we keep cross-posting! We don't want to just be a second-rate job board forever..."
This ends a situation in which two companies that would otherwise have been competitive bidders decided that it would cost them less to be a monopoly, and created their own cartel. Since they were a sole provider, they persuaded the government to pay them a Billion dollars a year simply so that they would retain the capability to manufacture rockets to government requirements.
Yes, there will be at least that Billion in savings and SpaceX so far seems more than competitive with the prices United Launch Alliance was charging. There will be other bidders eventually, as well.
There may be good reasons for the 'pedestrian detection' feature to be an extra purchase(more sensors, more DSP, recouped development costs, etc.) or it may just be a single bit in the firmware waiting to be flipped in a magic screwdriver upgrade; but either way, "Yeah, we have a feature that would have prevented that accident; but it didn't because we prefer to charge more for it." seems like the sort of statement that is likely to attract the wrong sort of scrutiny.
If you admit to having the mature capability; how long before failing to include it is negligence? Will you be able to keep it as an add-on, rather than a standard feature like antilock braking? Are you absolutely sure that your sales people didn't misrepresent the capabilities of what they sold? and so on.
It seems as though they'd be much better off just issuing a flat 'don't do stupid irresponsible things' and quietly dropped the matter.
Historically, 'retail' insurance, for individuals and little stuff, was mostly statistical with a side of adversarial: Aside from a few token offers of a free fitbit or whatever, the insurer basically calculates your expected cost as best they can based on your demographics and history and charges you accordingly, and tries to weasel out of anything too unexpectedly expensive.
However, for larger endeavors, (the ones I'm most familiar with are utility and public works projects, there may well be others), sometimes a more collaborative model reigned: the insurer would agree to pay out in the event of accidents, jobsite deaths, and so on, as usual, and the client would pay them for that; but the insurer would also provide guidance to the project, best practices, risk management, specialist expertise on how to minimize the number of expensive fuckups on a given type of project, expertise that the customer might not have, or have at the same level. This was mutually beneficial, since the customer didn't want accidents, the insurer didn't want to pay for accidents, and everyone was happiest if the project went smoothly.
In a case like this; the incentives might align better if the contractor were were delivering both the security and the breach insurance: this would immediately resolve the argument over whether the policyholder was negligent or the insurer needs to pay up: if the IT contractor got the systems hacked through neligence, that's their fault; and if they secured the systems; but a hack was still pulled off, that's where the insurance policy comes in.
This scheme would run the risk of encouraging the vendor to attempt to hide breaches small enough to sweep under the rug; but it would otherwise align incentives reasonably neatly: an IT management/insurance hybrid entity would internalize the cost of the level of security it manages to provide(more secure presumably means greater expenditures on good IT people; but more secure also means lower effective cost of providing insurance, since you can expect fewer, smaller, breaches; and fewer, smaller, claims). If the equilibrium turns out to be 'slack off, pay the claims', that suggests that the fines for shoddy data protection need to be larger; but the arrangement would induce the vendor to keep investing in security until the marginal cost of extra work on IT was higher than the marginal gain from lower expected costs in claims; so the knob to turn to get better security is relatively accessible.
With IT systems(at least at the level of software attacks, if they break in at the silicon level it's another story), there is a platonic essence of 'the secure' floating out there, though generally far, far, far, too expensive, cumbersome, and slow to build to ever see the light of day; and there really isn't the same degree of agreement about what counts as 'secure enough for X' or 'incompetent'. Gross incompetence is something you can identify, and there are various formally proven systems in existence, mostly for the constrained use cases of cost-insensitive customers; but the stuff in the middle is very much up in the air.
Alas, 'Cottage Health' is a medical provider of some sort, so such feelings swiftly evaporated.
That aside, this seems like a situation that is simultaneously common sense(Obviously you won't be able to buy 'cyber insurance' that covers egregious negligence, at least not for any price that doesn't reflect an essentially 100% chance of payout, plus the insurer's profit margins and transaction cost); and likely to be an endless nightmare of quibbling about what 'security' is.
We've all seen the long, long, history of attempts to do security-by-checklist, most of which allow you to say that you 'followed industry best practices' by closing the barn door after the horse is long gone, so long as the barn door was constructed with galvanized nails of suitable gauge and is running any antivirus product, efficacy irrelevant. It's not as though 'security' is fundamentally unknowable and intersubjective, man; but it sure isn't something you'd want a lawyer or a layman attempting to boil down into a chunk of contractual language. Barring some miracle of clarity, I suspect that we'll see quite a few dustups that basically involve the insurer's expert witnesses smearing the policyholder's security measures(if they did it by the checklist, the expert witnesses will be snide grey hats who eat 'best practices' for lunch, if they deviated from the checklist, it'll be hardasses on loan from the PCI compliance auditing process, if they implemented a mathematically proven exotic microkernel it'll be somebody asking why Windows Updates weren't being applied in a timely manner); and the policyholder's expert witnesses puffing like salesmen about how strong the security was; and how it must have been an 'advanced persistent threat' to have hacked through such durable code walls.
The fundamental question of 'did you fail to lock the door, or did somebody take a crowbar to it?' is sensible enough in the context of an insurance claim; but rigorously defining what 'locking the door' means in a complex IT operation; and where the boundary between 'incompetence' and 'unavoidable imperfection' lies, is not going to be pretty. My only hope is that if any of these go to jury, the lawyers decide to strike anyone who sounds like they might know something about computers; because it's going to be a long, boring, slugging match of a case.
Exactly. Why are we still wasting time discussing this scheme?
If that is the case, our very own 'Department of Homeland Security' represents a reshuffling at least as large, absorbing as it did various departments under the vague theory that they hadn't been anti-terrorist enough. It...hasn't really been much to write home about.
For myself, I'm interested just because hardware crypto tokens are so strong compared to passwords of any remotely tractable-to-humans complexity, and less vulnerable to untrustworthy clients than doing keypair auth with a private key that lives on a relatively vulnerable computer, rather than never leaving dedicated hardware; but for it to be something useful outside geeks and IT-managed environments, the extra bit of configuration data capability seems like it would be necessary.
Maybe if I were feeling entrepreneurial...
You propose to replace it with a sole-source, crony capitalist, 'state corporation', to take advantage of the important synergies between the public sector's capabilities in corruption and mediocrity and the private sector's sophistication in financial and organizational malfeasance?
Christ, guys, if you keep this up I'll start feeling good about US mil/aero procurement practices by comparison...
You can argue about the relative virtues of public sector and private sector agents for various purposes; but there is no lower form of life than the crony capitalist entity when it comes to corruption.
What I would love to see, though, would be a router that uses some USB or NFC security fob for idiot-proof and robust VPN setups: just imagine: plug the fob into the router, or set it on the NFC pad, press the 'bless' button; and the router would perform the appropriate cryptographic handshaking with the fob, and provide the configuration information for setting up the VPN(url, VPN type, etc.).
Then you bring the fob over to a computer or mobile device, hit 'make it so', and the VPN client reads out the config data, makes the appropriate configuration changes, and the fob authenticates the connection. Quick, trivially easy, much more secure than a password or even a certificate file on a USB drive; and you are neatly tunneled back to your home network regardless of the hostile and untrusted networks you may encounter during the day.
Should you lose the fob; hit the 'unbless all' button and all fobs need to be re-blessed before they can be used(obviously, web or other interfaces to the router could allow more granular and advanced control; but having to re-bless a few fobs is likely to be easier than having to understand a more complex interface for many unsophisticated users, who probably only have a small number of active fobs anyway).
Well, that and DRM. Tell 'em that the pirates will steal their precious 'premium content' and suddenly they get real interested in security, albeit more in the 'building prisons' than 'building fortresses' sense of the word.