Should there be federal ordinances in place for cybersecurity threats where the affected organization is billed for the shutdown?
Sort by:
When you frame it that way, it does sound more plausible that this could happen. Policies do each of those things in some cases, mostly by racist design, but otherwise simply for profit.
Private fire departments (before municipalities had public fire depts) definitely charged homeowners and businesses to put out their fires.<br><br>This article from ABC News in 2010 documented a trend to begin to charge and bill for firefighting service in some locations:<br>https://abcnews.go.com/Business/fire-department-bills-basic-services-horrify-residents-insurance/story?id=9736696<br><br>Also, from Wikipedia, the free encyclopedia:<br>Jump to navigation<br>Jump to search<br><br>"In the United States, an emergency response fee, also known as fire department charge, fire department service charge, accident response fee,[1][2] accident fee,[3] Traffic Infraction Accident Fee,[4] ambulance fee,[5] etc., and pejoratively as a crash tax[6] is a fee for emergency services such as firefighting, emergency medical services, environmental response, etc., performed by a local fire department, EMTs, police department, etc., at the scene of a structure fire, wildfire, traffic collision, or other emergency, billed afterward to the surviving property owner or owner(s), operator(s) of the vehicle(s) involved, and/or their insurance companies."<br><br>"Many states and localities have approved these fees. Many states and localities prohibit these fees.[7]"<br><br>"Some fire departments charge small and large fees for firefighting.[8] Some bill the survivors, some bill the insurance companies of the survivors.[9]"<br><br>"Some fire departments charge an advance fire subscription fee for fire protection. They often do not fight fires that are not covered, refusing offers of back payment.[10][11]"<br><br>"The fees are controversial, with multiple arguments for and against.[12"<br><br>[ https://en.wikipedia.org/wiki/Emergency_response_fee ]
If I read this right, it’s asking if victims of a cybersecurity incident should be billed for impacts of shutting down?
Broadly, no.
There are additional rules around trade, privacy, etc that make sense that could apply here, as well as ones in regulated industries.
There should be some level of a federal ordinance on which the government can take action if you're posing a risk to others, even in the logical sense. And, if warranted, they should be able to take the systems down or offline so you're not damaging others.
But if we accept that level of government interference, we quickly reach the point where they can say, “We think that you haven't patched your systems in a while. You're at a risk so we're going to take your company down.” It's a super slippery slope. An ordinance follows policy and law; the FBI action that happened in April was a judge’s subpoena. I would be surprised if they had coordinated with private sector cybersecurity leaders on any of it.
I don't think it's unreasonable for the government to create strict guardrails to regulate cybersecurity and say “This is not acceptable. You must take action and, if you don't, we'll do it for you and send you a bill.” For example, if you don't cut your lawn in Saratoga you'll get a letter. If you continue without mowing your lawn—creating blight in Saratoga—you'll get a second letter. And then the third time they will come and use a service to cut your lawn. And for the cost of that service they will put a lien on your house. It's an ordinance. It’s invasive.
This opens a Pandora’s Box.
Does the fire department bill people who should have been more careful with kitchen fires?
No insurance coverage to obese patients?
Police department not show up to those who didn’t have good locks?