Feeds

‘Punish software makers for bad security’ – NAS

Scientists ask Congress for sane laws

  • alert
  • submit to reddit

Boost IT visibility and business value

Congress should make it easier to punish companies that produce insecure software that puts business and consumers at risk, a panel assembled by the prestigious National Academy of Sciences (NAS) said Tuesday.

"Policy makers should consider legislative responses to the failure of existing incentives to cause the market to respond adequately to the security challenge," the NAS' computer and telecommunications board wrote in a draft report on the nation's computer-security systems in the wake of Sept. 11. "Possible options include steps that would increase the exposure of software and systems vendors and system operators to liability for system breaches."

Mandatory crime reporting and stricter liability are hardly new ideas: many computer-security specialists have recommended such measures for years. But the fact that they are being uttered by members of an NAS panel suggests the once-fringe ideas are more mainstream, and may gain urgency as decision-makers ponder, for example, what might have happened had terrorists launched an effective cyber attack simultaneous with the hijackings of Sept. 11.

"A lot of security experts are starting to feel that way," said Marcus Ranum, chief technical officer of NFR Inc.and moderator of the Firewall Wizards email list. One member of his list recently "posted a long rant about how the vendors are dropping the ball. Then again, there's more than enough blame to go around."

But new liability laws would run counter to legislation that has sought to reduce liability over the past few years. In 1999, Congress passed legislation that absolved companies from being sued over disclosures related to their preparation for the so-called Y2K bug. Legislators have also been amenable to widening protections extended under the Freedom of Information Act, so that companies can rest assured that security problems they have on their networks will not be exposed if they tell the government about them.

Technology companies have naturally steered clear of laws that could increase their liability, and even devising liability standards would be difficult, says Mark Rasch, vice president of cyberlaw for security firm Predictive Systems Inc. in Reston, Va. What, he asks, rhetorically, should be the security standard for a game of Solitaire?

More to the point, he says, is the question why so many companies buy products that are not up to the job.

"Why punish someone for insecure products when there is a secure product [the customer] did not buy?," he asks. "Do we want to have a national law that imposes or warrants a certain level of security on all computers?"

A more educated market, Rasch says, would do much to improve security. "Let's face it, Detroit railed against seat belts railed against airbags for years, but they really didn't take off until consumers demanded them."

For all the criticism of vendors, the NAS panel finds fault elsewhere, too. Mainstream businesses, the panel writes, have failed to take security seriously. In the future, security administrators will need more money and more clout to keep networks safe from terrorists and criminals, the report says.

In addition ordinary workers will need to be trained in good security and have the tools necessary for it on their own computers, according to the report.

Finally, government needs to clean up its own, often pitiful, record in computer security, while funding more research and development to protect computers everywhere, according to the report. The market cannot respond to national imperatives when so many security products are designed for basic business, the NAS concludes.

© 2001 SecurityFocus.com, all rights reserved.

Boost IT visibility and business value

More from The Register

next story
KDE releases ice-cream coloured Plasma 5 just in time for summer
Melty but refreshing - popular rival to Mint's Cinnamon's still a work in progress
Leaked Windows Phone 8.1 Update specs tease details of Nokia's next mobes
New screen sizes, dual SIMs, voice over LTE, and more
Secure microkernel that uses maths to be 'bug free' goes open source
Hacker-repelling, drone-protecting code will soon be yours to tweak as you see fit
Mozilla keeps its Beard, hopes anti-gay marriage troubles are now over
Plenty on new CEO's todo list – starting with Firefox's slipping grasp
Apple: We'll unleash OS X Yosemite beta on the MASSES on 24 July
Starting today, regular fanbois will be guinea pigs, it tells Reg
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
Another day, another Firefox: Version 31 is upon us ALREADY
Web devs, Mozilla really wants you to like this one
prev story

Whitepapers

Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
Backing up Big Data
Solving backup challenges and “protect everything from everywhere,” as we move into the era of big data management and the adoption of BYOD.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Why and how to choose the right cloud vendor
The benefits of cloud-based storage in your processes. Eliminate onsite, disk-based backup and archiving in favor of cloud-based data protection.