A Cybersecurity Role for Uncle Sam?

By Brian Krebs
washingtonpost.com Staff Writer
Thursday, April 1, 2004; 5:33 PM

The nation's top software companies today conceded that new government regulations may be needed to strengthen the nation's vital computer networks from online attack, a shift away from their traditional stance against regulation. But critics of the plan said it still falls far short of the aggressive action needed to protect the nation's information infrastructure from attacks by terrorists and online criminals.

The recommendations, released by the National Cyber Security Partnership, were intended to answer the Bush administration's challenge to the technology community to develop more secure software products as part of their contribution to the White House's national cybersecurity strategy.

Ron Moritz, chief security strategist for Islandia, N.Y.-based Computer Associates and chairman of the taskforce that released the plan, cautioned against government rules to hold software makers liable for security problems.

"[We] don't believe there has been sufficient study of the impact of liability regulation or legislation, and to make that call today would be premature," said Moritz. "We need to better understand the potential impact of new product liability laws, particularly on smaller software makers and open-source providers."

The report said that government intervention could be necessary in dealing with software that is responsible for insuring the safety of the nation's "critical infrastructures" such as the water, power and telecommunications grids.

"[It] is possible that national security or critical infrastructure protection may require a greater level of security than the market will provide," it said. "Any such gap should be filled by appropriate and tailored government action that interferes with market innovation on security as little as possible."

Amit Yoran, the Department of Homeland Security's cybersecurity chief, said that government regulation might be necessary.

"Nothing is off the table," Yoran said. "If we feel there is an appropriate role for specific legislation that's going to have the positive impact of helping to secure the nation's critical infrastructures, we will take that course of action."

Yoran said the Homeland Security Department would study the proposals. Meanwhile, the report could influence legislative proposals in Congress, though security experts in and outside of government said it is more likely that the measures would set a standard for private companies to follow on a voluntary basis.

The report mainly calls for an industry-led national accreditation program for software developers, more stringent testing of software patches and broader use of tools that can catch common software flaws. The group also suggested forming a multi-company program to offer rewards for information leading to the conviction of cyber criminals.

The group includes executives from Microsoft Corp., the world's largest software developer, as well as the Business Software Alliance and Hewlett-Packard Co., among other companies.

Its recommendations come amid mounting pressure from computer security experts and the government for software developers to eradicate security flaws that contributed to the success of destructive Internet attacks like the "Slammer" and "Blaster" worms.

Security researchers identified at least 3,700 software security vulnerabilities last year, contributing to a 40 percent increase in Internet attacks, according the CERT Coordination Center, a government-funded cybersecurity monitoring agency based in Pittsburgh.

A July 2002 study from the National Institute of Standards and Technology (NIST) found that software bugs cost the U.S. economy nearly $60 billion a year. NIST also found that improved software testing before release could cut that figure by a third.

The problem, many experts have said, is that the White House's year-old cybersecurity strategy shies away from requiring software developers and technology businesses to improve their security practices. Critics said today's recommendations do not improve the situation.

"Who is [it] that drops the hammer when these people don't live up to their recommendations?" said Jim Lewis, director of technology policy at the Center for Strategic and International Studies in Washington, D.C., and himself a member of the taskforce. "If there ain't no hammer, it sort devalues this whole process."

Some of the toughest criticism came from Cathy Allen, head of a division of the Financial Services Roundtable, which represents some of the world's largest financial institutions.

Allen resigned from her role as co-chairman of the taskforce last week, saying that it refused to recommend that software developers adhere to stricter security standards when selling their products to the financial industry and other critical infrastructure businesses.

Allen's group also said that the industry should provide more support for older versions of its software and make patching security flaws less costly and more efficient.

"What's missing from this report is the perspective that the financial community and other critical infrastructures already are held responsible for meeting a number of federal regulations on the use of the Internet and computer security, and right now it's all on our shoulders," Allen said. "We're asking for more responsibility from software community in this regard and this report doesn't address that."

Allen's group, the Banking Industry Technology Secretariat, found in a study last year that its members spend an average of $400 million annually to fix software flaws. The organization estimated that the banking industry as a whole spends nearly $1 billion each year patching and adapting computer systems to remedy software vulnerabilities.

Moritz, the cybersecurity group's co-chairman, said many of the banking group's comments were not submitted until two weeks ago when the group had nearly finished drafting its report. He said the group would continue to evaluate the proposals.

Alan Paller, director of research for the SANS Institute, a Bethesda, Md.-based security training group, was disappointed that the recommendations did not include using federal buying power to insure that software vendors meet reasonable security standards.

"Notice that the only place they recommend the government use its economic power to enforce standards was on universities -- not on companies like theirs that earn millions of dollars every week from selling buggy, misconfigured software," Paller said. "The next time the computer industry offers to help make policy for improving cybersecurity, I hope [Homeland Security] follows Nancy Reagan's lead and decides to 'Just say No.'"

The cybersecurity partnership already has released reports advocating an early warning network for Internet threats, as well as recommendations for steps individual computer users can take to protect their systems from online threats. It plans to release two more reports dealing with Internet governance and technology standards. Both reports are due later this month.