I just updated the post with a point I forgot to include when I wrote it last night:
The one thing new legislation should do is require companies, and especially banks, government agencies, and health care organizations, to have a defined channel for reporting security flaws anonymously and in detail. By reporting the GSA eOffer flaw to the agency's Inspector General, I followed proper procedure (and was punished), but most of the time, there is no proper procedure. I reported the PayMaxx flaw to the only people who would listen--my sales representative and customer service representatives--and unsurprisingly, the critical information went nowhere. I reported the Facebook flaw to Mark Zuckerberg, and unsurprisingly, he placed the blame on someone else, telling me that he hadn't written the code in question. Responses like these aren't good enough. On the FaceCash payment system web site, this is why we've put a link to our security response form on the bottom of every single page. (If you run a web site, you should do the same.)
This puzzles me. You correctly note how absolutely abysmal the political arena is for crafting well-defined rules regarding technical issues, and yet you immediately start agitating for more regulation. Do you really want to be compelled to conform to whatever (likely flawed) procedural policy the politicians and bureaucrats would come up with? A policy which would require further legislation to fix (much to the joy of lawyers and lobbyists)?
How about this instead: repeal some legislation. Repeal the laws that prosecute Good Samaritans who, after a reporting a security flaw to a firm, release it to the public who might be harmed by the flaw. If the firm has no procedures in place to deal with the reports, then too bad for them; they don't get to use the state as a club against others.
I'm fully aware that none of that will happen. The police power of the state confers no wisdom on those willing to wield it. Nor do they have any incentive to write good laws, but on the contrary are encouraged by interested parties to write bad laws (intentionally or not). So please, stop agitating for new laws in the vain hope that finally, this time, they won't create a plethora of unintended consequences and injured innocents.
We're all entitled to our political views. Mine are that regulation and deregulation are both potentially dangerous, but that if we all assume the worst--that no regulation can ever be effective, so we shouldn't have any--we'll get nowhere fast. So I advocate for regulations that make sense, despite being aware that politics isn't always so logical or straightforward.
I'd like to see some automatic procedure set in place for notification in channel. Vague arm waiving at this point, but would be nice if there were something to indicate at least a kind of 'we heard you' back from government organizations. Can't do much for the rest, they can pretend to their hearts content. Given human nature (the bureaucrat/politician subset) this is a tough problem...
The one thing new legislation should do is require companies, and especially banks, government agencies, and health care organizations, to have a defined channel for reporting security flaws anonymously and in detail. By reporting the GSA eOffer flaw to the agency's Inspector General, I followed proper procedure (and was punished), but most of the time, there is no proper procedure. I reported the PayMaxx flaw to the only people who would listen--my sales representative and customer service representatives--and unsurprisingly, the critical information went nowhere. I reported the Facebook flaw to Mark Zuckerberg, and unsurprisingly, he placed the blame on someone else, telling me that he hadn't written the code in question. Responses like these aren't good enough. On the FaceCash payment system web site, this is why we've put a link to our security response form on the bottom of every single page. (If you run a web site, you should do the same.)