Skip Links

Who's responsible for cybersecurity?

By , Network World
April 05, 2004 12:07 AM ET

Network World - WASHINGTON, D.C. - The debate over whether corporate network executives or their software suppliers should shoulder the burden for improving the nation's cybersecurity is shifting direction as pressure mounts for vendors to ship safer products.

Until now, the software industry has placed most of the responsibility for securing the nation's information infrastructure on customers of their products. IT lobbying groups have issued recommendations for corporate users, while discouraging new regulations for software vendors.

Corporate executives, who find their organizations vulnerable to viruses and other attacks despite spending more of their IT dollars on security, are fed up.

"Until we address some of the software issues - the fundamental flaws in the software we are all using - we are not going to solve the cybersecurity problem," says Marian Hopkins, director of public policy for the Business Roundtable, an association of CEOs of the nation's largest companies.

The Business Roundtable says it will issue a set of guidelines on cybersecurity this month that urges vendors to improve their products.

Owning up

Software vendors are starting to own up to their responsibilities.

Last week, the industry acknowledged for the first time in a report to the Bush administration that the Department of Homeland Security should examine whether "tailored government action is necessary to increase security across the software development cycle."

Deep thoughts
The National Cyber Security Partnership has issued three reports in recent weeks:
Improving Security Across the Software Development Lifecycle
Released April 1. Considers the possibility that government action might be necessary to force software vendors to improve software design. Also advocates improved education and training programs for software developers.
Awareness for Home Users and Small Businesses
Released March 18. Authorizes September 2004 as National Cyber Security Month, advocates a direct-mail campaign to corporate executives and supports regional homeland security forums for CEOs.
Cyber Security Early Warning
Released March 18. Calls for the creation of an early-warning alert network that would cut across industries and provide information needed to prevent attacks, mitigate the impact of attacks and remediate systems.
Additional reports on technical standards and corporate governance are due out this month.
These reports are available at
Click to see:

The recommendations in the fine print of a report by the National Cyber Security Partnership (NCSP) say the federal government should consider such options as "liability and liability relief, regulation and regulatory reform, tax incentives, enhanced prosecution, research and development, education and other incentives."

The umbrella organization, which includes the leadership of the IT industry's top lobbying groups, including the Business Software Alliance, recommends that the Department of Homeland Security produce a report in 2005 that considers how it would be best for the federal government to take action on cybersecurity while preserving innovation.

The NCSP's other recommendations include: improving the quality of computer security training at universities; developing a software security accreditation program; creating best practices for building security into software design; and adopting guiding principles for patch management.

"Hardware and software vendors are responsible for paying greater attention to secure products," says Marc Jones, chair of the NCSP's enterprise task force and CEO of network software vendor Visionael. "Whenever possible, they should be taking the responsibility off the end user. That's a reasonable request."

However, Jones warns, improving the software development process is not easy. "There are definite efforts to establish best practices for the software vendors . . . but that's not an overnight activity," he says. "And that doesn't mean consumers or businesses will adopt these new products overnight."

Demonstrating the pressure that software vendors feel about cybersecurity issues, Microsoft Chairman and Chief Software Architect Bill Gates sent a letter to corporate customers last week outlining the software giant's progress on improving the security of its operating systems. He cited recent and pending security enhancements to Windows XP Service Pack 2 and Windows Server 2003. He also highlighted what he called "significant'' investments by Microsoft in four areas of security: isolation and resiliency; updating; quality and authentication; and access control.

"Reducing the impact of viruses and worms to an acceptable level requires fundamentally new thinking about software quality, continuous improvement in tools and processes, and ongoing investments in resilient new security technologies designed to block malicious or destructive software code before it can wreak havoc,'' Gates wrote. "It also requires computer users to be proactive about deploying and managing products.''

Our Commenting Policies
Latest News
rssRss Feed
View more Latest News