Feeds

‘Punish software makers for bad security’ – NAS

Scientists ask Congress for sane laws

  • alert
  • submit to reddit

Intelligent flash storage arrays

Congress should make it easier to punish companies that produce insecure software that puts business and consumers at risk, a panel assembled by the prestigious National Academy of Sciences (NAS) said Tuesday.

"Policy makers should consider legislative responses to the failure of existing incentives to cause the market to respond adequately to the security challenge," the NAS' computer and telecommunications board wrote in a draft report on the nation's computer-security systems in the wake of Sept. 11. "Possible options include steps that would increase the exposure of software and systems vendors and system operators to liability for system breaches."

Mandatory crime reporting and stricter liability are hardly new ideas: many computer-security specialists have recommended such measures for years. But the fact that they are being uttered by members of an NAS panel suggests the once-fringe ideas are more mainstream, and may gain urgency as decision-makers ponder, for example, what might have happened had terrorists launched an effective cyber attack simultaneous with the hijackings of Sept. 11.

"A lot of security experts are starting to feel that way," said Marcus Ranum, chief technical officer of NFR Inc.and moderator of the Firewall Wizards email list. One member of his list recently "posted a long rant about how the vendors are dropping the ball. Then again, there's more than enough blame to go around."

But new liability laws would run counter to legislation that has sought to reduce liability over the past few years. In 1999, Congress passed legislation that absolved companies from being sued over disclosures related to their preparation for the so-called Y2K bug. Legislators have also been amenable to widening protections extended under the Freedom of Information Act, so that companies can rest assured that security problems they have on their networks will not be exposed if they tell the government about them.

Technology companies have naturally steered clear of laws that could increase their liability, and even devising liability standards would be difficult, says Mark Rasch, vice president of cyberlaw for security firm Predictive Systems Inc. in Reston, Va. What, he asks, rhetorically, should be the security standard for a game of Solitaire?

More to the point, he says, is the question why so many companies buy products that are not up to the job.

"Why punish someone for insecure products when there is a secure product [the customer] did not buy?," he asks. "Do we want to have a national law that imposes or warrants a certain level of security on all computers?"

A more educated market, Rasch says, would do much to improve security. "Let's face it, Detroit railed against seat belts railed against airbags for years, but they really didn't take off until consumers demanded them."

For all the criticism of vendors, the NAS panel finds fault elsewhere, too. Mainstream businesses, the panel writes, have failed to take security seriously. In the future, security administrators will need more money and more clout to keep networks safe from terrorists and criminals, the report says.

In addition ordinary workers will need to be trained in good security and have the tools necessary for it on their own computers, according to the report.

Finally, government needs to clean up its own, often pitiful, record in computer security, while funding more research and development to protect computers everywhere, according to the report. The market cannot respond to national imperatives when so many security products are designed for basic business, the NAS concludes.

© 2001 SecurityFocus.com, all rights reserved.

Intelligent flash storage arrays

More from The Register

next story
Be real, Apple: In-app goodie grab games AREN'T FREE – EU
Cupertino stands down after Euro legal threats
Download alert: Nearly ALL top 100 Android, iOS paid apps hacked
Attack of the Clones? Yeah, but much, much scarier – report
You stupid BRICK! PCs running Avast AV can't handle Windows fixes
Fix issued, fingers pointed, forums in flames
Microsoft: Your Linux Docker containers are now OURS to command
New tool lets admins wrangle Linux apps from Windows
Bada-Bing! Mozilla flips Firefox to YAHOO! for search
Microsoft system will be the default for browser in US until 2020
Facebook, working on Facebook at Work, works on Facebook. At Work
You don't want your cat or drunk pics at the office
Soz, web devs: Google snatches its Wallet off the table
Killing off web service in 3 months... but app-happy bonkers are fine
prev story

Whitepapers

Why and how to choose the right cloud vendor
The benefits of cloud-based storage in your processes. Eliminate onsite, disk-based backup and archiving in favor of cloud-based data protection.
A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.
10 threats to successful enterprise endpoint backup
10 threats to a successful backup including issues with BYOD, slow backups and ineffective security.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Protecting against web application threats using SSL
SSL encryption can protect server‐to‐server communications, client devices, cloud resources, and other endpoints in order to help prevent the risk of data loss and losing customer trust.