[ISN] An Antitrust Antidote for Software Security

From: InfoSec News (isn@private)
Date: Thu Apr 08 2004 - 07:05:04 PDT

  • Next message: InfoSec News: "[ISN] Police cyber crime pin-up girl busted for hacking site"

    http://www.washingtonpost.com/wp-dyn/articles/A58955-2004Apr7.html
    
    By Brian Krebs
    washingtonpost.com Staff Writer
    April 7, 2004
    
    Congress should change U.S. antitrust laws to make it easier for
    businesses to pressure software vendors to improve the security of
    their products, according to a congressional advisory panel report
    released yesterday.
    
    Under the proposal, certain industry sectors could set software
    security standards for their businesses. Vendors whose software fails
    meet those requirements would be barred from selling to those
    industries.
    
    The idea is an attempt to find ways for the business community to
    protect critical infrastructures like the electricity grid and the
    banking, water and telecommunications networks from hackers and other
    online criminals.
    
    "There have always been exceptions to antitrust laws when dealing with
    issues relating to national security, and I can't think of a more
    important area to have some standards than in this area of
    cybersecurity," said John Burke, a Washington attorney who represents
    the Financial Services Roundtable, a group of financial services
    companies that participated in drafting the cybersecurity
    recommendations.
    
    The problem, Burke said, is that without a specific exemption from
    Congress or the U.S. Justice Department, the plan could run afoul of
    federal antitrust laws that prohibit group boycotts.
    
    The Corporate Information Security Working Group was convened last
    November by Rep. Adam Putnam (R-Fla.), chairman of a House
    subcommittee dealing with information security. The group met shortly
    after software industry lobbying groups persuaded him to shelve a plan
    to require publicly traded companies to report their cybersecurity
    readiness to the Securities and Exchange Commission (SEC).
    
    Putnam is studying the antitrust idea but has not decided whether he
    will formally introduce it as a bill, said spokesman Bob Dix.
    
    The group's recommendations were released on Tuesday, several days
    after another task force led by the nation's top software companies
    conceded that new government regulations might be necessary to
    strengthen the nation's important computer networks against online
    attacks.
    
    Lawmakers have focused much attention on information security issues
    during the past year amid a spike in identity theft, viruses and other
    online criminal activity. The White House approved a national
    cybersecurity plan more than a year ago but it contains no
    requirements for businesses to improve their electronic security
    practices.
    
    The companies that own 85 percent of the nation's essential
    infrastructure say they are committed to making sure that their
    systems are secure, but many of them complain that the software they
    use is riddled with security holes. Those flaws, they said, cost
    businesses billions of dollars a year. An antitrust exemption, some
    say, would help them collectively pressure software firms for
    improvements.
    
    Cathy Allen, who heads the Financial Services Roundtable's technology
    division, said the software industry has largely ignored the banking
    sector's voluntary security certification program. Instead, she said,
    the software vendors often play off one company against another --
    offering discounts and other incentives to get them to drop their
    security requirements.
    
    "Trying to negotiate better security standards in our contracts with
    the vendors isn't very effective because many companies simply won't
    sell to you unless you agree to their terms," Allen said. "What we'd
    like to do is to be able to put some teeth behind our voluntary
    requirements."
    
    The banking industry spends nearly $1 billion each year patching and
    adapting computer systems to remedy software vulnerabilities,
    according to a Financial Services Roundtable report released in
    February.
    
    The Information Technology Association of America (ITAA) opposes the
    antitrust idea. The association represented software developers and
    other high-tech companies in the cybersecurity working group. It did
    not have the power to veto the antitrust recommendation, which was
    agreed on by consensus among the group's other members.
    
    "This is basically an attempt to give certain industry groups cartel
    market power to fix prices," said ITAA General Counsel Joe Tasker.  
    "What we have is a case where the buyers themselves consistently
    violate their own principles."
    
    "We're not averse to it per se, but we're not sure why it's needed,"  
    said Robert Hoffman, vice president of congressional and legislative
    affairs for business software maker Oracle Corp.
    
    Hoffman said that Oracle supports a number of different ways to
    improve software security, but said that an antitrust exemption is a
    "pretty heavy hammer."
    
    The Justice Department routinely grants antitrust exemptions, said Bob
    Lande, an antitrust law professor at the University of Baltimore
    School of Law.
    
    Antitrust exemptions previously granted by Congress include one
    notable 1970 law that allows newspapers operating in the same market
    to pool their resources on advertising, printing and distribution.  
    Major League Baseball operates under an exemption effectively granted
    by the U.S. Supreme Court in 1922 that requires the league to approve
    any of its teams' decisions to move from one city to another.
    
    "Antitrust laws are amazingly flexible rules and can deal easily with
    legitimate business justifications," Lande said. "The way they're
    being interpreted by today's judges are in a very conservative,
    non-aggressive manner, I can't say the risk of antitrust problems is
    zero, but boy it is low."
    
    Changing the antitrust laws also would hold software developers who
    work with Linux more accountable for security, said Alan Paller,
    director of research for the SANS Institute and a member of the
    cybersecurity group.
    
    Such a requirement would be more challenging for open source vendors
    because much of the software is maintained by thousands of independent
    software developers, he added. "This could force a certain amount of
    discipline on that group that they may not want to have... They would
    no longer be able to throw up their hands and ignore responsibility
    for security just because it's open source."
    
    The cybersecurity working group made nearly two-dozen other
    recommendations. One would limit public access to information about
    the locations and weak points of vital communications, power and water
    networks. Another proposes that Congress insulate companies from
    shareholder lawsuits if a hacker breaks into their systems.
    
    Putnam, meanwhile, plans to introduce a bill to implement another
    recommendation from the panel -- amending the federal government's
    technology acquisition guidelines to ensure that agencies seeking new
    computer software and hardware make cybersecurity a priority.
    
    
    
    _________________________________________
    ISN mailing list
    Sponsored by: OSVDB.org
    



    This archive was generated by hypermail 2b30 : Thu Apr 08 2004 - 09:57:34 PDT