Feeds

‘Punish software makers for bad security’ – NAS

Scientists ask Congress for sane laws

  • alert
  • submit to reddit

New hybrid storage solutions

Congress should make it easier to punish companies that produce insecure software that puts business and consumers at risk, a panel assembled by the prestigious National Academy of Sciences (NAS) said Tuesday.

"Policy makers should consider legislative responses to the failure of existing incentives to cause the market to respond adequately to the security challenge," the NAS' computer and telecommunications board wrote in a draft report on the nation's computer-security systems in the wake of Sept. 11. "Possible options include steps that would increase the exposure of software and systems vendors and system operators to liability for system breaches."

Mandatory crime reporting and stricter liability are hardly new ideas: many computer-security specialists have recommended such measures for years. But the fact that they are being uttered by members of an NAS panel suggests the once-fringe ideas are more mainstream, and may gain urgency as decision-makers ponder, for example, what might have happened had terrorists launched an effective cyber attack simultaneous with the hijackings of Sept. 11.

"A lot of security experts are starting to feel that way," said Marcus Ranum, chief technical officer of NFR Inc.and moderator of the Firewall Wizards email list. One member of his list recently "posted a long rant about how the vendors are dropping the ball. Then again, there's more than enough blame to go around."

But new liability laws would run counter to legislation that has sought to reduce liability over the past few years. In 1999, Congress passed legislation that absolved companies from being sued over disclosures related to their preparation for the so-called Y2K bug. Legislators have also been amenable to widening protections extended under the Freedom of Information Act, so that companies can rest assured that security problems they have on their networks will not be exposed if they tell the government about them.

Technology companies have naturally steered clear of laws that could increase their liability, and even devising liability standards would be difficult, says Mark Rasch, vice president of cyberlaw for security firm Predictive Systems Inc. in Reston, Va. What, he asks, rhetorically, should be the security standard for a game of Solitaire?

More to the point, he says, is the question why so many companies buy products that are not up to the job.

"Why punish someone for insecure products when there is a secure product [the customer] did not buy?," he asks. "Do we want to have a national law that imposes or warrants a certain level of security on all computers?"

A more educated market, Rasch says, would do much to improve security. "Let's face it, Detroit railed against seat belts railed against airbags for years, but they really didn't take off until consumers demanded them."

For all the criticism of vendors, the NAS panel finds fault elsewhere, too. Mainstream businesses, the panel writes, have failed to take security seriously. In the future, security administrators will need more money and more clout to keep networks safe from terrorists and criminals, the report says.

In addition ordinary workers will need to be trained in good security and have the tools necessary for it on their own computers, according to the report.

Finally, government needs to clean up its own, often pitiful, record in computer security, while funding more research and development to protect computers everywhere, according to the report. The market cannot respond to national imperatives when so many security products are designed for basic business, the NAS concludes.

© 2001 SecurityFocus.com, all rights reserved.

Security for virtualized datacentres

More from The Register

next story
Not appy with your Chromebook? Well now it can run Android apps
Google offers beta of tricky OS-inside-OS tech
Greater dev access to iOS 8 will put us AT RISK from HACKERS
Knocking holes in Apple's walled garden could backfire, says securo-chap
NHS grows a NoSQL backbone and rips out its Oracle Spine
Open source? In the government? Ha ha! What, wait ...?
Google extends app refund window to two hours
You now have 120 minutes to finish that game instead of 15
Intel: Hey, enterprises, drop everything and DO HADOOP
Big Data analytics projected to run on more servers than any other app
prev story

Whitepapers

Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
Top 5 reasons to deploy VMware with Tegile
Data demand and the rise of virtualization is challenging IT teams to deliver storage performance, scalability and capacity that can keep up, while maximizing efficiency.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.
Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.