A House of Representatives subcommittee on technology, reacting to the overwhelming worm activity of last month, picked the brains of leading security experts and executives Wednesday during a hearing. Testimony was heard on the need for legislation, cleaning up the software development process, full disclosure, public-private information sharing, education programs within the enterprise and the dissemination of information to home users.
Legislation and government regulation has been a bugaboo because lawmakers, enterprises and vendors have long fought to avoid political intervention. That may no longer be a viable scenario, said Chris Wysopal, director of research and development at consulting firm @Stake Inc.
"We regulate just about every industry where safety is a concern," Wysopal said. "When computers are compromised, we're approaching similar safety concerns. If the Blaster worm contributed to the severity of the blackout for example, now we're talking about a safety issue. Lives are in danger."
Wysopal provided legislators with information about the software development process, the source of many vulnerabilities exploited by malicious code writers. He also talked about vulnerability research and the disclosure of security information.
"We have so many systems in place and people holding them together with patches and antivirus software, one slip-up and you're in a situation where your data or people are at risk," Wysopal said. "We've added so much complexity that this Band-Aid approach doesn't work anymore."
Others who testified before the committee were: Richard Pethia, director of the CERT Coordination Center; Robert Dacey, director of IT security for the General Accounting Office; Gerhard Eschelbeck, chief technology officer and vice president of engineering at Qualys Inc.; Phil Reitinger, senior security strategist for Microsoft Corp.; Vincent Gullato, vice president of the antivirus emergency response team at Network Associates Inc.; John Schwarz, president of Symantec Corp.; and others.
One legislator asked if the government could use its buying power as an influence.
"Absolutely," Wysopal said. "If the government could do the testing, all users would benefit. That way, the government could ensure they were getting quality software and companies could follow their example."
Disclosure and the dissemination of information were also fresh on the minds of those asking the questions, and those testifying.
"There's a need to take action on both sides, from the government side and the corporate side," said Eschelbeck. "The committee wanted to hear recommendations for the home users as well, because they have the least amount of information about vulnerabilities and how to avoid becoming victim to one of these attacks.
"One very concrete recommendation came out of today, and that's education needs to play an important role inside the government, in the corporate world and to protect the home user. The information flow is important; how do we get alerts out as quickly as possible."
New threats were also discussed, in the wake of last month's Blaster and Sobig-F worm outbreaks.
"If you look at the Internet as we know it today with IP addresses, etc., it's a pretty closed network still," Eschelbeck said. "But with the emergence of 802.11 telephones and other similar devices, the issue becomes a bigger one. Today's cell phone networks are not necessarily proprietary, but they're closed systems. If you introduce 802.11 mobile phones and other devices, this is an open technology and a different magnitude of problem."
Most Internet attacks have been relatively benign, in terms of payload. Some generate volumes of traffic that clog networks and result in expensive downtime, but few do actual destruction. Blaster, on the other hand, had a significant payload and essentially forced Microsoft to take down its Windows Update site. Members of Congress today wondered how future Blasters might mutate.
"Motives are changing," Eschelbeck said, noting some digital criminals are out for more than notoriety, but for profit. "With Blaster, part of the payload launched a denial-of-service attack against Microsoft. Next time, it could be against a specific corporation or geographic region of the Internet. All opportunities are open."
FOR MORE INFORMATION:
FEEDBACK: Has the time come for government to legislate against bad software?
Send your feedback to the SearchSecurity.com news team.