http://www.washingtonpost.com/wp-dyn/articles/A58955-2004Apr7.html By Brian Krebs washingtonpost.com Staff Writer April 7, 2004 Congress should change U.S. antitrust laws to make it easier for businesses to pressure software vendors to improve the security of their products, according to a congressional advisory panel report released yesterday. Under the proposal, certain industry sectors could set software security standards for their businesses. Vendors whose software fails meet those requirements would be barred from selling to those industries. The idea is an attempt to find ways for the business community to protect critical infrastructures like the electricity grid and the banking, water and telecommunications networks from hackers and other online criminals. "There have always been exceptions to antitrust laws when dealing with issues relating to national security, and I can't think of a more important area to have some standards than in this area of cybersecurity," said John Burke, a Washington attorney who represents the Financial Services Roundtable, a group of financial services companies that participated in drafting the cybersecurity recommendations. The problem, Burke said, is that without a specific exemption from Congress or the U.S. Justice Department, the plan could run afoul of federal antitrust laws that prohibit group boycotts. The Corporate Information Security Working Group was convened last November by Rep. Adam Putnam (R-Fla.), chairman of a House subcommittee dealing with information security. The group met shortly after software industry lobbying groups persuaded him to shelve a plan to require publicly traded companies to report their cybersecurity readiness to the Securities and Exchange Commission (SEC). Putnam is studying the antitrust idea but has not decided whether he will formally introduce it as a bill, said spokesman Bob Dix. The group's recommendations were released on Tuesday, several days after another task force led by the nation's top software companies conceded that new government regulations might be necessary to strengthen the nation's important computer networks against online attacks. Lawmakers have focused much attention on information security issues during the past year amid a spike in identity theft, viruses and other online criminal activity. The White House approved a national cybersecurity plan more than a year ago but it contains no requirements for businesses to improve their electronic security practices. The companies that own 85 percent of the nation's essential infrastructure say they are committed to making sure that their systems are secure, but many of them complain that the software they use is riddled with security holes. Those flaws, they said, cost businesses billions of dollars a year. An antitrust exemption, some say, would help them collectively pressure software firms for improvements. Cathy Allen, who heads the Financial Services Roundtable's technology division, said the software industry has largely ignored the banking sector's voluntary security certification program. Instead, she said, the software vendors often play off one company against another -- offering discounts and other incentives to get them to drop their security requirements. "Trying to negotiate better security standards in our contracts with the vendors isn't very effective because many companies simply won't sell to you unless you agree to their terms," Allen said. "What we'd like to do is to be able to put some teeth behind our voluntary requirements." The banking industry spends nearly $1 billion each year patching and adapting computer systems to remedy software vulnerabilities, according to a Financial Services Roundtable report released in February. The Information Technology Association of America (ITAA) opposes the antitrust idea. The association represented software developers and other high-tech companies in the cybersecurity working group. It did not have the power to veto the antitrust recommendation, which was agreed on by consensus among the group's other members. "This is basically an attempt to give certain industry groups cartel market power to fix prices," said ITAA General Counsel Joe Tasker. "What we have is a case where the buyers themselves consistently violate their own principles." "We're not averse to it per se, but we're not sure why it's needed," said Robert Hoffman, vice president of congressional and legislative affairs for business software maker Oracle Corp. Hoffman said that Oracle supports a number of different ways to improve software security, but said that an antitrust exemption is a "pretty heavy hammer." The Justice Department routinely grants antitrust exemptions, said Bob Lande, an antitrust law professor at the University of Baltimore School of Law. Antitrust exemptions previously granted by Congress include one notable 1970 law that allows newspapers operating in the same market to pool their resources on advertising, printing and distribution. Major League Baseball operates under an exemption effectively granted by the U.S. Supreme Court in 1922 that requires the league to approve any of its teams' decisions to move from one city to another. "Antitrust laws are amazingly flexible rules and can deal easily with legitimate business justifications," Lande said. "The way they're being interpreted by today's judges are in a very conservative, non-aggressive manner, I can't say the risk of antitrust problems is zero, but boy it is low." Changing the antitrust laws also would hold software developers who work with Linux more accountable for security, said Alan Paller, director of research for the SANS Institute and a member of the cybersecurity group. Such a requirement would be more challenging for open source vendors because much of the software is maintained by thousands of independent software developers, he added. "This could force a certain amount of discipline on that group that they may not want to have... They would no longer be able to throw up their hands and ignore responsibility for security just because it's open source." The cybersecurity working group made nearly two-dozen other recommendations. One would limit public access to information about the locations and weak points of vital communications, power and water networks. Another proposes that Congress insulate companies from shareholder lawsuits if a hacker breaks into their systems. Putnam, meanwhile, plans to introduce a bill to implement another recommendation from the panel -- amending the federal government's technology acquisition guidelines to ensure that agencies seeking new computer software and hardware make cybersecurity a priority. _________________________________________ ISN mailing list Sponsored by: OSVDB.org
This archive was generated by hypermail 2b30 : Thu Apr 08 2004 - 09:57:34 PDT