Gaps in Security Plan

Microsoft's vulnerability-handling plan is a good start but may end up being insufficient as the specter of government regulation of Internet security looms, according to security experts.

Microsoft Corp.s vulnerability-handling plan is a good start but may end up being insufficient as the specter of government regulation of Internet security looms, according to security experts.

As IT security administrators and CIOs were absorbing the details of Microsofts plan last week (see "Cracking Down on Hackers"), the U.S. House Committee on Energy and Department of Commerces Subcommittee on Commerce Trade and Consumer Protection was holding hearings to determine whether the industry was doing everything possible to secure the nations computing infrastructure.

Top executives from Internet Security Systems Inc., Microsoft, Oracle Corp. and others testified last week. The consensus reached was one of a public-private partnership, with several of the witnesses insisting legislation was not the answer to Internet security.

"The private sector can do a lot. We have to work proactively to prevent future attacks, and I believe the private sector can do that," said David McCurdy, executive director of the Internet Security Alliance, in Arlington, Va.

Some House members hinted that action may be forthcoming nevertheless.

"I think its only logical that Congress should address the fact that future [terrorist] attacks could exploit vulnerabilities in our cyber-security networks," said Rep. Mike Doyle, D-Pa. "I hope that this committee will soon take action."

One witness, Mary Ann Davidson, director of security product management at Oracle, in Redwood Shores, Calif., insinuated that the industrys security problems are largely the fault of its largest member, Microsoft.

"You dont get good products in a monopoly market," Davidson said.

Meanwhile, reaction to Microsofts plan to develop a standard for the handling of security vulnerabilities continues to be mixed. Observers said that the time has come for some sort of limited-disclosure plan but that Microsoft shouldnt be the one to manage the process.

"It seems to make sense for information about security vulnerabilities to be closely held," said J.B. Fields, a Washington-based consultant, network trouble-shooter and president of J.B. Fields and Associates LLC. "It seems clear that the indiscriminate publication of information about vulnerabilities is irresponsible. The notion of a secure news group or forum for discussions and meetings between members also seems fitting. I would not be so comfortable with corporate control of such forums."

That sentiment prevails among security industry insiders, many of whom have little love for Microsoft, a company they believe has caused most of its own security problems.

"The reason this move by Microsoft is so dangerous is that it might result in the Balkanization of the security industry even more than it already is, and that could lead to legislation," said Elias Levy, chief technology officer of SecurityFocus, in San Mateo, Calif. "It would allow Microsoft to shift the liability from themselves and have it encoded in the law that people who release details are liable. Theyre on the hot seat, and they had to do something."

Some critics also charge that the Microsoft plan contains nothing new.

"What Microsoft said theyd do last week is what theyve done for the last three years. And in that time, weve had Code Red, Nimda, Sircam and a bunch of other problems," said Russ Cooper, surgeon general at TruSecure Corp., in Herndon, Va. "Nothing has changed. Its not even part of a solution. Its status quo." Cooper recently published a proposal for a group called the Responsible Disclosure Forum, which is similar in some respects to Microsofts plan. Microsoft officials maintain that they are taking charge of the effort only because no one else has been willing to do so.

"Someone has to lead. Our role is to catalyze people into working for a solution," said Scott Culp, manager of the Microsoft Security Response Center, in Redmond, Wash.