The nation's leading big business lobby said the federal government should stay out of the commercial software arena -- maybe -- and allow industry and software companies to jointly address the problem of glitch-prone software.
"There are too often software problems that prevent end users from being able to improve cybersecurity by themselves," said C. Michael Armstrong, chairman of cable giant Comcast and chairman of the Business Roundtable's Security Task Force. The roundtable released a set of principles and an action plan last week aimed at building a more unified defense against the increasing number, and growing cost, of malicious attacks on the global digital network.
The principles state that market solutions for cybersecurity are preferred over statutory and regulatory mandates. However, Armstrong said that corporate software buyers may have to jointly "draw a line in the sand" with software developers. This would probably require a federal antitrust exemption.
"That definitely is an important issue," acknowledged Tita Freeman, spokeswoman for the Business Roundtable. "It is one our companies have raised, and we are looking into it."
If Congress wants to get more involved in software security, it will have the chance when the House Select Committee on Homeland Security publishes a fiscal 2005 authorization bill for the Department of Homeland Security (DHS). The bill is expected to be unveiled before the July 4 congressional recess.
Generally, she said, the committee could charge DHS with developing voluntary best practices and guidelines for corporate purchase and use of software. A more immediate concern for the committee, though -- and one it has obvious jurisdiction to address -- might be the vulnerability of federal government computers. Turner noted that when a federal agency buys software that proves insecure, it can affect other federal agencies.
The obvious place within DHS to address the problems outlined by the roundtable would be the DHS National Cyber Security Division (NCSD). Currently, the NCSD's primary role is detecting viruses and worms and communicating alerts and warnings to business and home computer users.
Another House staffer, who asked to remain anonymous, said of NCSD, "They are not as far along as anyone up here would like them to be. They are taking steps in the right direction, but we would like them to be more aggressive."
This source, like Turner, doubted that Congress will stick its nose directly into software development. But she pointed out that NCSD could be charged with helping to develop a much stronger cadre of cybersecurity professionals, in part by working more closely with other federal agencies such as the National Science Foundation. "That is something we can help with," she emphasized.