A task force of academics, businesspeople and government officials recommends software companies do more to secure their products or, in some instances, the government may need to move in to enforce more secure software code, according to a new report released today.
Led by software giants Microsoft and Computer Associates, companies that comprise the public-private National Cyber Security Partnership admit more may be needed if market forces can't compel software developers to create safer solutions. But first the industry needs to make security a core component of software development at the university level and then encourage best practices at the workplace to reduce the number of vulnerabilities in today's software.
The patching process needs to be revamped, such as no longer requiring reboots during installation, and providing awards and other incentives to those developers and vendors who create secure product.
Though only one of numerous points in the piece, generating the most attention is the recommendation by a subcommittee that the Department of Homeland Security and the National Cyber Security Partnership "examine whether tailored government action is necessary to increase security across the software development lifecycle."
Such an attitude toward government intervention represents a sea change in the IT community, which has long advocated a hands-off approach in favor of market forces to compel software makers to improve the number of flaws in their products that then leave computer networks vulnerable to attack.
This report to the Bush administration admits market pressures may fall short with particularly vulnerable systems such as critical infrastructure as power plants, water systems and telecommunications.
But not everyone believes the vendors are acting altogether altruistically.
"Read through every recommendation and you'll notice that the giant software vendors that controlled that task force completely avoid the things that matter: there is no recommendation of exploring liability for damages caused by faulty software; no discussion of using federal buying power to ensure software vendors meet reasonable standards; and no discussion of removing antitrust limitations so buyers in critical infrastructure can work together," said Alan Paller, director of research at the SANS Institute.
"And in the one area in which their recommendations could make a long term difference -- upgrading computer science courses so no one graduates if they have not had secure programming skills and knowledge inculcated in them, the document provides no effective mechanism," Paller continued. "It's terrible when the industry says 'wait for us, we'll solve the problem,' and then delivers no effective proposals."
However, Ron Moritz, Computer Associates' chief security strategist and co-chair of the National Cyber Security Partnership task force, says it's only a matter of time before liability issues are addressed. And he rushed to point out that the effort was managed by individual cybersecurity experts, not companies.
"There are a number of reasons why liability was deferred for a future report, it may take several months to fully address the problem and we don't have all the insight we need right now," said Moritz. "Rushing to get liability into this report could damage the marketplace and premature action could also divert resources from necessary security issues into legal ones."
Moritz chairs the group with his counterpart of Microsoft, Scott Charney.
If considered a surprising shift in attitude, the recommendations towards more government intervention shouldn't come as a huge shock. Earlier this spring a new lobbying group comprised of a dozen top information security companies vocally supported current government regulation to combat cybercrime -- and keep other regulations from being created due to lack of private-sector support.
Reaction Thursday was mixed.
"This is positive, but quite out of character for the vendors," said Clint Kreitner, president and CEO of The Center for Internet Security. "I'm encouraged by the apparent willingness to look at a variety of solutions to address this unique global problem."
"I have felt from the beginning that if we could put aside the rhetoric about 'regulation' and 'mandates' and start talking about ways to collaborate in pursuit of the common good with regard to information security, we could make some progress," said Kreitner. "Hopefully this is beginning to happen."