[ISN] If tech companies were liable for security holes, cyberspace would become safer

From: InfoSec News (isnat_private)
Date: Tue Feb 11 2003 - 07:05:00 PST

  • Next message: InfoSec News: "[ISN] Linux Security Week - February 10th 2003"

    By Miguel Helft
    February 10, 2003   
    Just two weeks ago, a nasty little piece of software known to security
    experts as an Internet ``worm,'' wreaked havoc in parts of cyberspace.
    ``Slammer,'' as the worm was dubbed, went beyond the usual disruptions
    to e-mail and Web sites: It crippled 911 systems near Seattle,
    disabled Bank of America ATMs, and gummed up ticketing systems at
    Continental Airlines.
    The attack exploited a flaw in a Microsoft database program that was
    well known. Microsoft had issued a software ``patch'' to fix the flaw
    six months earlier. Computers that had the patch were not directly
    affected. Ironically, some of Microsoft's own computer servers did not
    have the patch and were overwhelmed by Slammer.
    That such an attack took place was no surprise to most security
    But that the relatively simple worm -- Richard Clarke, who just
    retired as head of the National Strategy to Secure Cyberspace called
    it ``dumb'' and ``cheaply made'' -- could take its toll on electronic
    systems that many believed to be beyond the Internet, should worry
    ``More sophisticated attacks against known vulnerabilities in
    cyberspace could be devastating,'' Clarke said. ``We cannot assume
    that the past level of damage is in any way indicative of what could
    happen in the future.''
    Making cyberspace more secure is not easy. The global network grew up
    as a freewheeling medium that allowed anyone and anything to connect.  
    Without profound changes in how computer products are built, and how
    networks are maintained, it will remain vulnerable.
    ``We are making systems so complex that when they fail, they fail in a
    major way,'' says Eugene H. Spafford, a computer science professor at
    Purdue University specializing in security.
    But better technology alone will not suffice. Making cyberspace safer
    will require policy changes that affect the economic forces driving
    technology decisions.
    Companies view security as just any other business risk and make
    security decisions to minimize costs, says Bruce Schneier, chief
    technology officer of Counterpane Internet Security. As long as the
    costs of ignoring security outweigh the benefits of extra security,
    little will change.
    Schneier makes a compelling argument that enforcing liability both for
    making shoddy software and for not protecting networks could be the
    single most important step to improve security.
    ``Liability changes everything,'' Schneier wrote in an essay. It will
    force companies to rethink their priorities in product development,
    which currently emphasize new features over security and robustness.  
    And it will force companies to be better guardians of their own
    networks and their customers' data.
    Liability enforcement will also spawn an insurance industry to help
    businesses manage liability risk. That industry, in turn, will demand
    better security.
    ``A company doesn't buy security for its warehouse because it makes it
    feel safe,'' Schneier wrote. ``It buys that security because its
    insurance rates go down.''
    Finally, liability will help establish minimally accepted standards
    and processes for developing products and securing networks.
    Spafford recommends a similar approach. ``You could set up a tax
    credit for companies that invest in certain kinds of security
    technology,'' he says. Or we could hold liable a company that uses
    software known to be insecure, just like we hold liable a contractor
    who ``builds a new factory out of flammable wood, not steel.''
    After all, Internet security is a bit like public health. If you don't
    protect yourself against disease, you are not only putting yourself at
    risk, but others as well.
    Unfortunately, Clarke's recommendations, expected to be unveiled soon,
    are not likely to endorse any such approaches. Following pressure from
    the tech industry, which recoils at the idea of mandates, the plan has
    been watered down. ``We've gone from mandates, to recommendations, to
    suggestions,'' Spafford says.
    Policymakers have been right to be cautious. In a field so complex,
    the wrong approach could easily make things worse, not better. And no
    one likes to increase the cost of doing business -- at least not until
    they realize that the costs of a crippling attack could prove to be
    far greater.
    Miguel Helft is a Mercury News editorial writer.
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Tue Feb 11 2003 - 10:47:19 PST