Vendor responsibility for insecure software was the central theme during Clarke's visit to the university this week.
CAMBRIDGE, Mass.If Wednesday nights town hall meeting here was any indication, Richard Clarke is getting just what he asked for.
After releasing a draft of the National Strategy to Secure Cyberspace
for comment in September, Clarke has embarked on a cross-country tour, soliciting feedback on the document and stumping for passage of the bill that would create the Department of Homeland Security. During his most recent stop, at the Massachusetts Institute of Technology, audience members gave Clarke a wide range of suggestions for the strategy, with many of them centering on the theme of vendor responsibility for insecure software.
Many people asked Clarke, chairman of the Presidents Critical Infrastructure Protection Board, to consider recommending some form of regulation for the software industry as a way to spur vendors into writing more secure applications. Clarke resisted the idea, as he has in the past, saying that hed rather rely on market forces and customer demand to weed out the careless vendors.
One area where Clarke agreed that new legislation might be in order is security research. One audience member complained that the Digital Millennium Copyright Act and anti-hacking laws are preventing legitimate security researchers from publishing information on new vulnerabilities.
"Youre basically letting them bully us into keeping vulnerabilities secret," the questioner said. "Shouldnt there be some legislation on this?"
"Personally, I think the answer to that is yes," Clarke responded. "We need to have everyone in this country whos an IT expert looking for vulnerabilities."
Jeff Schiller, the event moderator, had another suggestion.
"We also need vendors who when they put out critical security fixes dont attach a new license agreement," said Schiller, MITs network manager and head of the Internet Engineering Task Forces security section. The comment, which refers to an agreement that Microsoft Corp. included with a service pack it released earlier this year, drew a big round of applause from the audience.
In response to several comments about the apathy that many big software vendors show toward security issues, Clarke urged customers and researchers to bring their concerns to him if they arent satisfied with the vendors answer. He also pointed a finger at the software makers for not making smart choices in configuring their products.
"People have been shipping software with totally needless, stupid functionality turned on," he said.
Clarke, who served on the National Security Council during the Clinton administration, likened the current attitude toward security to the way some Washington officials used to feel about the potential for terrorism in the United States: it will never happen to us.
"Somebody, someday is going to hurt our economy if we dont start dealing with our vulnerabilities," said Clarke.
Special Report: Bushs Cyber-Security Plan