, SecurityFocus 2002-01-08
Report says new laws may be needed to deter companies from producing software with security holes.Congress should make it easier to punish companies that produce insecure software that puts business and consumers at risk, a panel assembled by the prestigious National Academy of Sciences said Tuesday.
"Policy makers should consider legislative responses to the failure of existing incentives to cause the market to respond adequately to the security challenge," the NAS' computer and telecommunications board wrote in a draft report on the nation's computer-security systems in the wake of Sept. 11. "Possible options include steps that would increase the exposure of software and systems vendors and system operators to liability for system breaches."
Mandatory crime reporting and stricter liability are hardly new ideas: many computer-security specialists have recommended such measures for years. But the fact that they are being uttered by members of an NAS panel suggests the once-fringe ideas are more mainstream, and may gain urgency as decision-makers ponder, for example, what might have happened had terrorists launched an effective cyber attack simultaneous with the hijackings of Sept. 11.
"A lot of security experts are starting to feel that way," said Marcus Ranum, chief technical officer of NFR Inc.and moderator of the Firewall Wizards email list. One member of his list recently "posted a long rant about how the vendors are dropping the ball. Then again, there's more than enough blame to go around."
But new liability laws would run counter to legislation that has sought to reduce liability over the past few years. In 1999, Congress passed legislation that absolved companies from being sued over disclosures related to their preparation for the so-called Y2K bug. Legislators have also been amenable to widening protections extended under the Freedom of Information Act, so that companies can rest assured that security problems they have on their networks will not be exposed if they tell the government about them.
Technology companies have naturally steered clear of laws that could increase their liability, and even devising liability standards would be difficult, says Mark Rasch, vice president of cyberlaw for security firm Predictive Systems Inc. in Reston, Va. What, he asks, rhetorically, should be the security standard for a game of Solitaire?
More to the point, he says, is the question why so many companies buy products that are not up to the job.
"Why punish someone for insecure products when there is a secure product [the customer] did not buy?," he asks. "Do we want to have a national law that imposes or warrants a certain level of security on all computers?"
A more educated market, Rasch says, would do much to improve security. "Let's face it, Detroit railed against seat belts railed against airbags for years, but they really didn't take off until consumers demanded them."
For all the criticism of vendors, the NAS panel finds fault elsewhere, too. Mainstream businesses, the panel writes, have failed to take security seriously. In the future, security administrators will need more money and more clout to keep networks safe from terrorists and criminals, the report says.
In addition ordinary workers will need to be trained in good security and have the tools necessary for it on their own computers, according to the report.
Finally, government needs to clean up its own, often pitiful, record in computer security, while funding more research and development to protect computers everywhere, according to the report. The market cannot respond to national imperatives when so many security products are designed for basic business, the NAS concludes.