, Washington Post 2004-05-20
In the 1976 movie "Network," a television anchorman famously implores his viewers to yell, "I'm mad as hell and I'm not going to take this anymore!" Yesterday, in more measured tones, a high-powered business lobby said just that about computer security on the network of all networks, the Internet.The Business Roundtable -- which includes the chief executives of many of the nation's largest "old economy" corporations -- launched a public relations blitz that takes the software industry to task for developing products that are continuously vulnerable to hackers and virus writers.
"Most of the significant cyber-incidents that have harmed American business and consumers over the past several years have had at their root cause defective and readily exploitable software code," the group said in a written statement of principles on what should guide cyber-security policy. "Most software development processes used today do not incorporate effective tests, checks or safeguards to detect those . . . defects that result in product vulnerabilities."
When the generally low-key CEOs of companies such as Alcoa and General Motors place ads in the Wall Street Journal and magazines to take a swipe at the technologists upon whom they are so dependent, you know things have reached a critical stage.
Like small and large businesses everywhere, those companies are spending millions of dollars a year patching security hole after security hole in a desperate attempt to ward off crashes and data theft. Too often, it's too late.
For many companies, those are not simply dollars sliced off the bottom line. They divert scarce resources from developing new technologies that companies need to compete in a fast-moving, high-tech world.
The venerable Business Roundtable, with 150 members, was careful to couch its campaign as a multi-pronged approach to get the attention of all corporate executives and users as well as the software industry.
C. Michael Armstrong, chairman of Comcast Corp. and head of the Roundtable's security task force, said in an interview that even the best-made software will be vulnerable if network operators or users fail to employ stringent safety measures.
To that end, the group urges greater attention by corporate boards to cyber-security at their companies, a goal also pushed by task forces working with the Department of Homeland Security to strengthen corporate and government networks.
As a result, the report was welcomed by some trade groups whose members include software companies.
"Now we have America's traditional industries coming together and saying that IT security is important," said Paul Kurtz, head of a new business group called the Cyber Security Industry Alliance. "That's a milestone."
The Business Roundtable also sided with the technology industry in stating that government regulation on security should be avoided.
But it has been a rough couple of weeks for the software industry, as the perception persists that it is trying to avoid accountability by pinning the blame on sloppy computing practices by users.
In a speech last week to an industry conference, former Bush administration cyber-security adviser Richard A. Clarke said breaches are so common because a lot of software is insecure.
"I don't like the idea of 'buyer beware,' '' Clarke said, according to the trade magazine eWeek. "It was great in the 14th century, but I think we've moved beyond [that]."
Clarke is one of several academics and cyber-experts who think the time for talking has passed and that action is overdue.
One idea that Clarke and others support is buyers of software collectively demanding basic security standards and features in the systems they buy. If such activity is considered buyers' collusion, then Congress should consider an antitrust exemption, Clarke said.
The Business Roundtable did not make a similar proposal, but Armstrong expressed sympathy for its underlying notion.
"I don't believe the buying community has drawn a line in the sand" on baseline security requirements from software vendors before they buy, Armstrong said. "And I think they can and may have to."
He said that in the short run, buyers might not have enough power for some technology purchases, given that there are only a few vendors selling server operating systems, for example. "But I believe the buying side has the ultimate leverage," he said, adding that he does not think an antitrust exemption is necessary yet.
Robert W. Holleyman II, head of the Business Software Alliance, said an antitrust exemption would be drastic.
"We don't think going down that path is necessary," he said. "We think that our companies are very responsive to the marketplace."
On the Roundtable's effort, Holleyman said that "anything that calls attention to the collective national challenge is an important contribution to the debate."
Leslie Walker is away. Her .com column will resume when she returns. Krim can be reached at firstname.lastname@example.org.