Clarke was particularly critical of ISPs and vendors that sell wireless LAN gear. Clarke lambasted ISPs for failing to alert consumers to the dangers of an always-on broadband connection. The nations top cyber-security official also was critical of private companies and government organizations that fail to secure their own networks. "Each of us has an obligation to secure the part of cyberspace we depend on," Clarke said. "There are a lot of people not taking responsibility."The new, united information security component of the Department of Homeland Security would be an ideal go-between for security researchers and vendors, he said. "We should all participate and not assume that companies are going to find vulnerabilities for us," Clarke said. "If they dont respond to you, come to us, and maybe well get a better response." Security experts say that the strategy is on the right track but may be too ambitious. "What hes doing is setting the outer limits, which is great, but I dont think anyone has any illusions that well get there," said Scott Blake, vice president of information security at BindView Corp., based in Houston. "Im a little skeptical." Software vendors, meanwhile, are wary of the government taking on an expanded role in the vulnerability-disclosure process. "Its not necessary for the process to go through them," said Scott Culp, manager of the Security Response Center at Microsoft Corp., in Redmond, Wash. "[The Computer Emergency Response Team] takes care of a lot of that now. People go to them, and they do some technical vetting." "I dont want the government controlling or regulating the Internet, but there has to be a middle ground where the government doesnt walk away," Clarke countered. "Whose responsibility is it to think about the health of the Internet? Its all of us, but the government has a responsibility too," he said. Related Stories:
Clarke Lambastes Software Industry
Security Group Nailing Down Name, Goals
U.S. Consensus Standards Likely Enforced
More Security Coverage
To that end, federal officials are considering a more active role in the way that vulnerabilities are reported to vendors and disclosed to the public.