Clarke: Hold Developers Accountable for Software Insecurity

Enterprises must speak out on what they want from the software industry, the White House's former top cyber-security official tells attendees of the eWEEK Security Summit.

NEW YORK—The federal government and private enterprise should band together and hold software developers responsible for the poor state of security of their applications, according to the White Houses former top cyber-security official.

Speaking this week at the eWEEK Security Summit here, Richard Clarke, chairman of Good Harbor Consulting LLC, of Herndon, Va., and former chairman of the presidents Critical Infrastructure Protection Board, said the inherent insecurity of most software produced today is a major factor in the troubles plaguing enterprises and home users.

To solve the problem, Clarke called on the government to put pressure on the software industry to develop and maintain secure coding practices.

"The reason you have people breaking into your software all over the place is because your software sucks," he told conference attendees. "I dont like the idea of buyer beware. It was great in the 14th century, but I think weve moved beyond [that]."

Clarke also encouraged enterprises to get together and inform their vendors that theyre not happy with the security of their software.

"Industries should establish what they want from the software industry," he said. "Lets allow these industries to get together and say what they expect. If they need an antitrust exemption for that, lets give it to them."

Clarke also suggested that CIOs and home users should encourage the government to do its part in the process and lead by example.

"All of you should pressure the government to do something about security. If the government was doing its job, things would be better," he said.

The current climate surrounding the issues of corporate governance and privacy—and the publics desire for some accountability for security breaches—is driving lawmakers to consider drawing up legislation to address these problems, according to security experts.

/zimages/5/28571.gifRead more here about experts perception that security regulations are inevitable.

"I personally believe regulation will happen sooner rather than later," said Chrisan Herrod, a professor at National Defense University in Washington. "If you dont get involved, you will have individuals driving this train, and you might not like the direction."

Herrod said that without input from the people involved in the daily practice of security, the regulatory process could go off the tracks quickly.

/zimages/5/28571.gifFor insights on security coverage around the Web, check out Security Center Editor Larry Seltzers Weblog.

Darwin John, former CIO of the FBI and now a strategic adviser with Chicago-based Blackwell Consulting Services, echoed Herrods sentiments. "Are we going to have regulation? Probably. Are you going to like it? Probably not," John told the assembled audience of CIOs, chief security officers and other senior executives at the security summit.

"But in the security business, there are no absolutes, and thats very difficult for some people to accept."

/zimages/5/28571.gifCheck out eWEEK.coms Security Center at for security news, views and analysis. Be sure to add our security news feed to your RSS newsreader or My Yahoo page: /zimages/5/19420.gif