Government officials preparing the federal cyber-security plan due out next month are considering ways of exerting more influence on Internet security that could impact the software and security industries.
The biggest change being discussed would require government agencies to purchase hardware and software that have been certified under the National Institute of Standards and Technologys National Information Assurance Plan standard.
The Department of Defense requires NIAP certification for all technology purchases, and if the entire federal government follows suit, it could shut out all but a few vendors from the federal procurement process.
“Were considering this as a way to use market forces to get vendors to pay attention to the security of their products,” said Richard Clarke, chairman of President Bushs Critical Infrastructure Protection Board, at the Black Hat Briefings security conference here last week. “Were trying not to go down the route of legislation.”
Clarke conceded that the rigorous NIAP certification process may be too long and too expensive for many vendors.
Also, there is no expedited certification process for vendors that have already had one of their products certified, something that needs to be changed, Clarke said.
The national cyber-security strategy, due to be unveiled Sept. 18 in Silicon Valley, will include recommendations to safeguard the data in industries from banking and finance to chemical manufacturing.
But Clarke said much of the initiative boils down to one thing: Software vendors need to do a better job writing secure code, and network operators need to be more diligent in protecting their networks.
ISPs Berated
Clarke was particularly critical of ISPs and vendors that sell wireless LAN gear. Clarke lambasted ISPs for failing to alert consumers to the dangers of an always-on broadband connection.
The nations top cyber-security official also was critical of private companies and government organizations that fail to secure their own networks. “Each of us has an obligation to secure the part of cyberspace we depend on,” Clarke said. “There are a lot of people not taking responsibility.”
To that end, federal officials are considering a more active role in the way that vulnerabilities are reported to vendors and disclosed to the public.
The new, united information security component of the Department of Homeland Security would be an ideal go-between for security researchers and vendors, he said.
“We should all participate and not assume that companies are going to find vulnerabilities for us,” Clarke said. “If they dont respond to you, come to us, and maybe well get a better response.”
Security experts say that the strategy is on the right track but may be too ambitious.
“What hes doing is setting the outer limits, which is great, but I dont think anyone has any illusions that well get there,” said Scott Blake, vice president of information security at BindView Corp., based in Houston. “Im a little skeptical.”
Software vendors, meanwhile, are wary of the government taking on an expanded role in the vulnerability-disclosure process.
“Its not necessary for the process to go through them,” said Scott Culp, manager of the Security Response Center at Microsoft Corp., in Redmond, Wash. “[The Computer Emergency Response Team] takes care of a lot of that now. People go to them, and they do some technical vetting.”
“I dont want the government controlling or regulating the Internet, but there has to be a middle ground where the government doesnt walk away,” Clarke countered.
“Whose responsibility is it to think about the health of the Internet? Its all of us, but the government has a responsibility too,” he said.
Related Stories:
- Clarke Lambastes Software Industry
- Security Group Nailing Down Name, Goals
- U.S. Consensus Standards Likely Enforced
- More Security Coverage