The greatest threat to the nations data networks today is not nascent cyber-terrorism lurking in the shadows but rather technology vendors unwilling to invest adequately in security, experts told Congress last week. Increasingly, industry insiders are seeking ways to make vendors accountable for their products.
As the Department of Homeland Security continues to shape its responsibilities, many in Congress, industry and academia are looking to the new agency to play a greater role protecting critical infrastructure, most of which is held by the private sector.
“There may come a time when a cyber-incident could also cost American lives, especially if there are concurrent attacks on physical and virtual infrastructures,” U.S. Rep. Mac Thornberry, R-Texas, said upon convening a hearing of the cyber-security subcommittee of the House Select Committee on Homeland Security.
Cyber-terrorism might one day be a problem, agreed Bruce Schneier, chief technical officer at Counterpane Internet Security Inc., but today, Schneier said, it is an unwarranted worry churned up by companies looking to stoke fear and by news media seeking sensational stories. The effects of cyber-attacks are far less terrorizing than they might seem, and worrying about cyber-terrorism detracts from addressing cyber-crime and basic security lapses, Schneier said in testimony before the subcommittee.
The CERT Centers at the Software Engineering Institute at Carnegie Mellon University, in Pittsburgh, found that security features in most products have not improved over the past few years.
Developers are not adequately applying lessons learned about the source of vulnerabilities, according to Richard Pethia, CERT director. Pethia told Congress last week that the government should consider including “code integrity” clauses in contracts to hold vendors responsible for defects.