If tech companies were liable for security holes, cyberspace would become safer

[InfoSec News <isn () c4i org>]

http://www.siliconvalley.com/mld/siliconvalley/5147205.htm

By Miguel Helft
February 10, 2003   
 
Just two weeks ago, a nasty little piece of software known to security
experts as an Internet ``worm,'' wreaked havoc in parts of cyberspace.

``Slammer,'' as the worm was dubbed, went beyond the usual disruptions
to e-mail and Web sites: It crippled 911 systems near Seattle,
disabled Bank of America ATMs, and gummed up ticketing systems at
Continental Airlines.

The attack exploited a flaw in a Microsoft database program that was
well known. Microsoft had issued a software ``patch'' to fix the flaw
six months earlier. Computers that had the patch were not directly
affected. Ironically, some of Microsoft's own computer servers did not
have the patch and were overwhelmed by Slammer.

That such an attack took place was no surprise to most security
experts.

But that the relatively simple worm -- Richard Clarke, who just
retired as head of the National Strategy to Secure Cyberspace called
it ``dumb'' and ``cheaply made'' -- could take its toll on electronic
systems that many believed to be beyond the Internet, should worry
everyone.

``More sophisticated attacks against known vulnerabilities in
cyberspace could be devastating,'' Clarke said. ``We cannot assume
that the past level of damage is in any way indicative of what could
happen in the future.''

Making cyberspace more secure is not easy. The global network grew up
as a freewheeling medium that allowed anyone and anything to connect.  
Without profound changes in how computer products are built, and how
networks are maintained, it will remain vulnerable.

``We are making systems so complex that when they fail, they fail in a
major way,'' says Eugene H. Spafford, a computer science professor at
Purdue University specializing in security.

But better technology alone will not suffice. Making cyberspace safer
will require policy changes that affect the economic forces driving
technology decisions.

Companies view security as just any other business risk and make
security decisions to minimize costs, says Bruce Schneier, chief
technology officer of Counterpane Internet Security. As long as the
costs of ignoring security outweigh the benefits of extra security,
little will change.

Schneier makes a compelling argument that enforcing liability both for
making shoddy software and for not protecting networks could be the
single most important step to improve security.

``Liability changes everything,'' Schneier wrote in an essay. It will
force companies to rethink their priorities in product development,
which currently emphasize new features over security and robustness.  
And it will force companies to be better guardians of their own
networks and their customers' data.

Liability enforcement will also spawn an insurance industry to help
businesses manage liability risk. That industry, in turn, will demand
better security.

``A company doesn't buy security for its warehouse because it makes it
feel safe,'' Schneier wrote. ``It buys that security because its
insurance rates go down.''

Finally, liability will help establish minimally accepted standards
and processes for developing products and securing networks.

Spafford recommends a similar approach. ``You could set up a tax
credit for companies that invest in certain kinds of security
technology,'' he says. Or we could hold liable a company that uses
software known to be insecure, just like we hold liable a contractor
who ``builds a new factory out of flammable wood, not steel.''

After all, Internet security is a bit like public health. If you don't
protect yourself against disease, you are not only putting yourself at
risk, but others as well.

Unfortunately, Clarke's recommendations, expected to be unveiled soon,
are not likely to endorse any such approaches. Following pressure from
the tech industry, which recoils at the idea of mandates, the plan has
been watered down. ``We've gone from mandates, to recommendations, to
suggestions,'' Spafford says.

Policymakers have been right to be cautious. In a field so complex,
the wrong approach could easily make things worse, not better. And no
one likes to increase the cost of doing business -- at least not until
they realize that the costs of a crippling attack could prove to be
far greater.


Miguel Helft is a Mercury News editorial writer.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.