Who’s responsible for cybersecurity?

WASHINGTON, D.C. – The debate over whether corporate network executives or their software suppliers should shoulder the burden for improving the nation’s cybersecurity is shifting direction as pressure mounts for vendors to ship safer products.

Until now, the software industry has placed most of the responsibility for securing the nation’s information infrastructure on customers of their products. IT lobbying groups have issued recommendations for corporate users, while discouraging new regulations for software vendors.

Corporate executives, who find their organizations vulnerable to viruses and other attacks despite spending more of their IT dollars on security, are fed up.

“Until we address some of the software issues – the fundamental flaws in the software we are all using – we are not going to solve the cybersecurity problem,” says Marian Hopkins, director of public policy for the Business Roundtable, an association of CEOs of the nation’s largest companies.

The Business Roundtable says it will issue a set of guidelines on cybersecurity this month that urges vendors to improve their products.

Owning up

Software vendors are starting to own up to their responsibilities.

Last week, the industry acknowledged for the first time in a report to the Bush administration that the Department of Homeland Security should examine whether “tailored government action is necessary to increase security across the software development cycle.”

The recommendations in the fine print of a report by the National Cyber Security Partnership (NCSP) say the federal government should consider such options as “liability and liability relief, regulation and regulatory reform, tax incentives, enhanced prosecution, research and development, education and other incentives.”

The umbrella organization, which includes the leadership of the IT industry’s top lobbying groups, including the Business Software Alliance, recommends that the Department of Homeland Security produce a report in 2005 that considers how it would be best for the federal government to take action on cybersecurity while preserving innovation.

The NCSP’s other recommendations include: improving the quality of computer security training at universities; developing a software security accreditation program; creating best practices for building security into software design; and adopting guiding principles for patch management.

“Hardware and software vendors are responsible for paying greater attention to secure products,” says Marc Jones, chair of the NCSP’s enterprise task force and CEO of network software vendor Visionael. “Whenever possible, they should be taking the responsibility off the end user. That’s a reasonable request.”

However, Jones warns, improving the software development process is not easy. “There are definite efforts to establish best practices for the software vendors . . . but that’s not an overnight activity,” he says. “And that doesn’t mean consumers or businesses will adopt these new products overnight.”

Demonstrating the pressure that software vendors feel about cybersecurity issues, Microsoft Chairman and Chief Software Architect Bill Gates sent a letter to corporate customers last week outlining the software giant’s progress on improving the security of its operating systems. He cited recent and pending security enhancements to Windows XP Service Pack 2 and Windows Server 2003. He also highlighted what he called “significant” investments by Microsoft in four areas of security: isolation and resiliency; updating; quality and authentication; and access control.

“Reducing the impact of viruses and worms to an acceptable level requires fundamentally new thinking about software quality, continuous improvement in tools and processes, and ongoing investments in resilient new security technologies designed to block malicious or destructive software code before it can wreak havoc,” Gates wrote. “It also requires computer users to be proactive about deploying and managing products.”

Customer view

“Our clients demand that we have a high level of security because we maintain their files and documents here in electronic form,” says Kenji Miyaji, manager of IT operations for Pillsbury Winthrop, a New York law firm.

The firm purchased a VPN system and new authentication software last year to improve the security of remote-access services it provides to 1,800 users worldwide.

Miyaji says the firm’s executive committee has asked the IT department to make it a priority to upgrade the firm’s systems, servers and networks with the latest security patches from Microsoft and others.

He says he’d like to see software vendors improve the speed at which they offer security patches. “The press is faster than the vendors in terms of releasing this type of information.”

B. Lee Jones, CIO of Stratex Networks, says software vendors need to do more. “The main thing that comes to mind is the Microsoft operating systems. The operating systems are so large and so complex that there are holes.”

Jones says his No. 1 priority for 2004 is network security. That’s why the San Jose manufacturer of wireless communications systems recently deployed a new policy-based security system for the remote-access services that it offers to 300 users dialing into its network from far-flung locations.

Still, Jones says he is wary of federal government intervention on cybersecurity issues. “The pressure from the customers should be the guiding force,” he says. “It’s hard for me to imagine how you would legislate good software. But it is a good idea to have some guidelines about what kind of compensation you might be able to look for if there was negligence on the part of a software company that caused losses for your business.”

More companies like Stratex and Pillsbury Winthrop are investing in network security. A March survey of 100 CEOs by the Business Roundtable found that 100% of respondents had strengthened cybersecurity since Sept. 11, 2001. These companies have increased security spending an average of 10% since then.

“Cybersecurity is a very important issue that requires CEO attention, and with the increasing number of attacks from viruses and worms, the cost associated with these attacks is growing exponentially,” the Business Roundtable’s Hopkins says.

Network security experts also have pushed software vendors to build better security features into their products.

The software industry’s focus has been “to tell users they have to become computer experts, which is simply not feasible,” says Alan Paller, director of research at the SANS Institute, a Bethesda, Md., provider of network security training. “The vendors are the only entities that can protect the enterprise.”

Paller says vendors should ship software with security configurations turned on and vulnerable services turned off. He also says software vendors should offer automatic update services to deliver software patches to the business customer to disseminate.

He recommends that corporate network managers use their buying power to force software vendors to ship products with more built-in security features. “The only pressure that works is money,” he says.

The cybersecurity debate promises to remain in the limelight, with new groups forming to offer their perspectives. Last week, several software vendors, including VeriSign and Internet Security Systems, announced that they had formed a group called Americans for a Secure Internet.