By Dawn Kawamoto, 17 February 2005 08:50
NEWS
A panel of security experts on Wednesday debated the merits of regulating the software industry to curtail software flaws - and hence reduce the volume of virus attacks.
With software flaws serving as the open door to viruses and worms, a panel of industry experts at the RSA Conference in San Francisco debated whether it's time to regulate software companies. The experts were mixed on the effectiveness of such a plan and whether it could be undertaken without curtailing innovation.
Harris Miller, president of the Information Technology Association of America said: "The issue is not to regulate or not. Our industry is all about innovation, and my concern with regulation is it's often the enemy of innovation."
In that same vein, Rick White, chief executive of technology advocacy group TechNet, said the industry should come together and develop guidelines for best practices on developing software with minimal flaws, rather than imposing regulations.
"Congress will never solve the problem as well as the people who work in the industry," said White, a former congressman from Washington state.
But other panellists were not as sure.
Dick Clarke, chairman of Good Harbor Consulting and former presidential special advisor on cybersecurity, noted efforts to have industries develop guidelines and follow through have failed in the past. He pointed to a deal Michael Powell, outgoing Federal Communications Commission chairman, struck with internet service providers (ISPs).
Powell held a meeting with ISPs, wherein they developed guidelines. And although Powell threatened to regulate their industry if they did not abide by those guidelines, the ISPs did not adhere to those self-imposed practices, Clarke said.
"Powell bluffed them. They knew it, and now he is leaving office," Clarke said.
Other panellists, such as encryption expert and author Bruce Schneier, also called for more action in prompting software vendors to vet through their code before releasing it to the market.
"If we make it in their best interests to do this, then it will happen. You need to find a set of financial incentives," Schneier said. "Regulations would increase the cost of not doing security, and that would increase security [testing]."
He noted companies that currently take the time to test the security of their software before releasing it to the markets are at a disadvantage - higher costs and potential late arrival to the market.
Additional financial incentives may come from customers demanding a certain level of security testing from a vendor, before agreeing to sign a contract to purchase their products, Schneier said.
In offering a post-11 September, 2001, warning, Clarke said: "Regulation is neither good nor bad...but the industry should bear this in mind. After we have an incident, regulations will be much worse."
Dawn Kawamoto writes for CNET News.com.
Comments
There is 1 comment. Join the discussion
1. Nick Cole
Enforceable regulations will help, but not on their own.
Ensuring that the victims have effective means of reporting problems, that ISPs, registrars and the other internet managers take responsibility for the anarchy they currently allow would help most.
Unfortunately all the while there are applications that allow active embedded content that can interact at a command level within the operating system that can be set to allow no recipient interaction the instances of hacking, spam, viruses etc will continue.
The fact that consumer level routers do not have sufficiently flexible software to allow for adequate control, that modern operating systems are increasingly dependent on behind the scenes connections to remote services, that application and OS vendors do not provide sufficient technical information to allow for self management and problem tracking leads along with the embedded automation to the very problem they complain about.
The attitude of the net managers allowing anonymous email accounts to set up domains does not help as this provides the means to hide the perpetrators, making the audit trail all but impossible.
Since the internet is international every state that is part of the system should have a publicly advertised computer abuse reporting organisation that is adequately staffed and they should not be allowed to connect to the internet unless their legal systems are capable of dealing effectively with the abuses carried out within their frontiers.