A Cybersecurity Role for Uncle Sam?
By Brian Krebs
washingtonpost.com Staff Writer
Thursday,
April 1, 2004; 5:33 PM
The nation's top software companies today conceded that new government
regulations may be needed to strengthen the nation's vital computer networks
from online attack, a shift away from their traditional stance against
regulation. But critics of the plan said it still falls far short of the
aggressive action needed to protect the nation's information infrastructure from
attacks by terrorists and online criminals. The recommendations, released by the National Cyber Security Partnership,
were intended to answer the Bush administration's challenge to the technology
community to develop more secure software products as part of their contribution
to the White House's national cybersecurity strategy. Ron Moritz, chief security strategist for Islandia, N.Y.-based Computer
Associates and chairman of the taskforce that released the plan, cautioned
against government rules to hold software makers liable for security
problems. "[We] don't believe there has been sufficient study of the impact of
liability regulation or legislation, and to make that call today would be
premature," said Moritz. "We need to better understand the potential impact of
new product liability laws, particularly on smaller software makers and
open-source providers." The report said that government intervention could be necessary in dealing
with software that is responsible for insuring the safety of the nation's
"critical infrastructures" such as the water, power and telecommunications
grids. "[It] is possible that national security or critical infrastructure
protection may require a greater level of security than the market will
provide," it said. "Any such gap should be filled by appropriate and tailored
government action that interferes with market innovation on security as little
as possible." Amit Yoran, the Department of Homeland Security's cybersecurity chief, said
that government regulation might be necessary. "Nothing is off the table," Yoran said. "If we feel there is an appropriate
role for specific legislation that's going to have the positive impact of
helping to secure the nation's critical infrastructures, we will take that
course of action." Yoran said the Homeland Security Department would study the proposals.
Meanwhile, the report could influence legislative proposals in Congress, though
security experts in and outside of government said it is more likely that the
measures would set a standard for private companies to follow on a voluntary
basis. The report mainly calls for an industry-led national accreditation program
for software developers, more stringent testing of software patches and broader
use of tools that can catch common software flaws. The group also suggested
forming a multi-company program to offer rewards for information leading to the
conviction of cyber criminals. The group includes executives from Microsoft Corp., the world's largest
software developer, as well as the Business Software Alliance and
Hewlett-Packard Co., among other companies. Its recommendations come amid mounting pressure from computer security
experts and the government for software developers to eradicate security flaws
that contributed to the success of destructive Internet attacks like the
"Slammer" and "Blaster" worms. Security researchers identified at least 3,700 software security
vulnerabilities last year, contributing to a 40 percent increase in Internet
attacks, according the CERT Coordination Center, a government-funded
cybersecurity monitoring agency based in Pittsburgh. A July 2002 study from the National Institute of Standards and Technology
(NIST) found that software bugs cost the U.S. economy nearly $60 billion a year.
NIST also found that improved software testing before release could cut that
figure by a third. The problem, many experts have said, is that the White House's year-old
cybersecurity strategy shies away from requiring software developers and
technology businesses to improve their security practices. Critics said today's
recommendations do not improve the situation. "Who is [it] that drops the hammer when these people don't live up to their
recommendations?" said Jim Lewis, director of technology policy at the Center
for Strategic and International Studies in Washington, D.C., and himself a
member of the taskforce. "If there ain't no hammer, it sort devalues this whole
process." Some of the toughest criticism came from Cathy Allen, head of a division of
the Financial Services Roundtable, which represents some of the world's largest
financial institutions. Allen resigned from her role as co-chairman of the taskforce last week,
saying that it refused to recommend that software developers adhere to stricter
security standards when selling their products to the financial industry and
other critical infrastructure businesses. Allen's group also said that the industry should provide more support for
older versions of its software and make patching security flaws less costly and
more efficient. "What's missing from this report is the perspective that the financial
community and other critical infrastructures already are held responsible for
meeting a number of federal regulations on the use of the Internet and computer
security, and right now it's all on our shoulders," Allen said. "We're asking
for more responsibility from software community in this regard and this report
doesn't address that." Allen's group, the Banking Industry Technology Secretariat, found in a study
last year that its members spend an average of $400 million annually to fix
software flaws. The organization estimated that the banking industry as a whole
spends nearly $1 billion each year patching and adapting computer systems to
remedy software vulnerabilities. Moritz, the cybersecurity group's co-chairman, said many of the banking
group's comments were not submitted until two weeks ago when the group had
nearly finished drafting its report. He said the group would continue to
evaluate the proposals. Alan Paller, director of research for the SANS Institute, a Bethesda,
Md.-based security training group, was disappointed that the recommendations did
not include using federal buying power to insure that software vendors meet
reasonable security standards. "Notice that the only place they recommend the government use its economic
power to enforce standards was on universities -- not on companies like theirs
that earn millions of dollars every week from selling buggy, misconfigured
software," Paller said. "The next time the computer industry offers to help make
policy for improving cybersecurity, I hope [Homeland Security] follows Nancy
Reagan's lead and decides to 'Just say No.'" The cybersecurity partnership already has released reports advocating an
early warning network for Internet threats, as well as recommendations for steps
individual computer users can take to protect their systems from online threats.
It plans to release two more reports dealing with Internet governance and
technology standards. Both reports are due later this month.