White House security officials are coming around to the idea that government regulation of the software industry may be needed to make the National Strategy to Secure Cyberspace work.
Security experts, academics and business executives told Richard Clarke, chairman of the Presidents Critical Infrastructure Protection Board, at a meeting at the Massachusetts Institute of Technology here last week, that the boards strategy needs provisions to hold software vendors accountable for the security of their products.
The gathering is one of a series of meetings that the PCIPB is holding around the country to obtain comment on the National Strategy to Secure Cyberspace, a draft of which was released last month. The deadline for comments is Nov. 18.
Clarke, who has said repeatedly that hed like to avoid new regulations, said his board has received many similar calls for such government intervention.
Sources familiar with the strategys development say the shift in opinion from the private sector has Clarke acknowledging regulation or legislation as a possibility, although he continues to push for other solutions to the problem of insecure software.
"At the end of the day, market pressure is probably what will work," Clarke said. "The federal government cant effectively mandate cyber-security or legislate cyber-security."
Attendees at MIT urged Clarke to consider amending the strategy to include some way of forcing vendors to produce better software, whether through regulation or the establishment of a new body to certify that products meet security criteria.
Such a group could draw up a standard, perhaps along the lines of the ISO 17799 standard for information security—as several people suggested—and use it to judge software products.
"Its in the long-range interest of these vendors to include security in their products," said John Grossman, assistant attorney general and chief of the Corruption, Fraud and Computer Crime Division in the Office of the Massachusetts Attorney General, in Boston. "But theres a need to hold vendors liable for shipping software to consumers who arent technologically savvy."
Despite the calls from security practitioners and CIOs for increased regulation, some security experts say that Clarkes plan to let customers and vendors sort out security issues among themselves is already bearing fruit.
"I would contend that the market pressure is already working, although its pretty slow," said Scott Blake, vice president of information security at BindView Corp., in Houston. "This is capitalism, after all. If people dont buy bad software, vendors will stop making bad software. But if any software company had to go to the level of quality that people want, no one could afford to buy it."
Clarke also said at the meeting that the proposed Department of Homeland Security would include an agency devoted to research and development on new security technologies, dubbed the Security Advanced Research Projects Agency.
Clarke continued to lobby for passage of the bill that would create the new department. (The bill is stalled in the Senate.) Without the combination of the governments scattered information security capabilities under one roof, security will likely improve little in the near future, he said.
"When lots of people have a role, no ones accountable," Clarke said.