Who's responsible for cybersecurity?

WASHINGTON, D.C. - The debate over whether corporate network executives or their software suppliers should shoulder the burden for improving the nation's cybersecurity is shifting direction as pressure mounts for vendors to ship safer products.

Until now, the software industry has placed most of the responsibility for securing the nation's information infrastructure on customers of their products. IT lobbying groups have issued recommendations for corporate users, while discouraging new regulations for software vendors.

Corporate executives, who find their organizations vulnerable to viruses and other attacks despite spending more of their IT dollars on security, are fed up.

"Until we address some of the software issues - the fundamental flaws in the software we are all using - we are not going to solve the cybersecurity problem," says Marian Hopkins, director of public policy for the Business Roundtable, an association of CEOs of the nation's largest companies.

The Business Roundtable says it will issue a set of guidelines on cybersecurity this month that urges vendors to improve their products.

Owning up

Software vendors are starting to own up to their responsibilities.

Last week, the industry acknowledged for the first time in a report to the Bush administration that the Department of Homeland Security should examine whether "tailored government action is necessary to increase security across the software development cycle."

The recommendations in the fine print of a report by the National Cyber Security Partnership (NCSP) say the federal government should consider such options as "liability and liability relief, regulation and regulatory reform, tax incentives, enhanced prosecution, research and development, education and other incentives."

The umbrella organization, which includes the leadership of the IT industry's top lobbying groups, including the Business Software Alliance, recommends that the Department of Homeland Security produce a report in 2005 that considers how it would be best for the federal government to take action on cybersecurity while preserving innovation.

The NCSP's other recommendations include: improving the quality of computer security training at universities; developing a software security accreditation program; creating best practices for building security into software design; and adopting guiding principles for patch management.

"Hardware and software vendors are responsible for paying greater attention to secure products," says Marc Jones, chair of the NCSP's enterprise task force and CEO of network software vendor Visionael. "Whenever possible, they should be taking the responsibility off the end user. That's a reasonable request."

However, Jones warns, improving the software development process is not easy. "There are definite efforts to establish best practices for the software vendors . . . but that's not an overnight activity," he says. "And that doesn't mean consumers or businesses will adopt these new products overnight."

Demonstrating the pressure that software vendors feel about cybersecurity issues, Microsoft Chairman and Chief Software Architect Bill Gates sent a letter to corporate customers last week outlining the software giant's progress on improving the security of its operating systems. He cited recent and pending security enhancements to Windows XP Service Pack 2 and Windows Server 2003. He also highlighted what he called "significant'' investments by Microsoft in four areas of security: isolation and resiliency; updating; quality and authentication; and access control.

"Reducing the impact of viruses and worms to an acceptable level requires fundamentally new thinking about software quality, continuous improvement in tools and processes, and ongoing investments in resilient new security technologies designed to block malicious or destructive software code before it can wreak havoc,'' Gates wrote. "It also requires computer users to be proactive about deploying and managing products.''