 |
|
DAILY NEWS AND INFORMATION
FOR THE GLOBAL GRID COMMUNITY /
|
Breaking News -
Security:
Industry Urges Tech Security
Upgrades
In a surprise shift, leading software companies acknowledge in a report to
the
Bush administration that government might need to force the U.S. technology
industry to improve the security of America's computer networks.
The companies, including Microsoft Corp and Computer Associates
International
Inc, said the Homeland Security Department "should examine whether tailored
government action is necessary" to compel improvements in the design of
computer software.
The 250-page report containing that recommendation and dozens more was
being
released Thursday. It cautioned that government should require security
improvements only when market forces fail. It also said businesses already are
demanding software that is safer and more resilient to attacks.
But the report said the most sensitive computer networks -- such as those
operating banks, telephone networks or water pipelines -- "may require a
greater level of security than the market will provide."
In those cases, the software companies recommend "appropriate and tailored
government action that interferes with market innovation on security as little
as possible." It urged the government to work with companies to produce a
formal study during the 2005 fiscal year, which begins in October.
The public acknowledgment that any level of new government regulation might
be
needed to improve software security represents an important shift by the
technology industry. It has vigorously contested mandates from Washington
during the past decade, even in the face of increasingly devastating attacks
by new generations of hackers and viruses.
"That's a big lean in the right direction," said Alan Paller of the SANS
Institute in Bethesda, Md., a computer-security organization. "It's a nod to
reality; they're nodding but they've got their heels dug in."
The industry recommendations were solicited by the Homeland Security
Department's cybersecurity division in December.
The report was put together by experts who included representatives from
the
Defense Department, National Security Agency, technology companies and
universities. The group was organized by executives at Microsoft and Computer
Associates.
"When you look at the key recommendations of the report, the road ahead is
for
government and industry to establish a vision for how we can take steps going
forward to make the cyber infrastructure safer," said co-chairman Scott
Charney, Microsoft's chief security strategist.
James Lewis of the Washington-based Center for Strategic and International
Studies, who also participated, described the industry's shift as "recognition
that absent some kind of pressure, software isn't going to get better."
The report did not recommend whether companies should be made legally
liable
over shabby software, except to note that "vendors are avoiding almost all
liability for any damages done or expenses caused to their customers and users
from software security problems."
Co-chairman Ron Moritz, the chief security strategist at Computer
Associates,
said questions about liability were too complicated to be included in the
report.
Other recommendations include:
- Spending at least $12 million, including $6 million in government
money,
during the next 19 months for a dozen new academic fellowships nationwide to
teach future computer engineers to design safer software.
- Providing unspecified incentives to companies for reducing software
defects.
- Offering bounties for information leading to the conviction of hackers
and
virus writers.
- Establishing a cybersecurity report card for operators of the most
important computer networks.
- Setting up a government laboratory to keep track of software repairing
patches and test how effectively they work.
|