Government May Step Into Security Fray

Prospect is frightening for vendors and security experts who remember battles over governmental regulation of cryptography

SAN FRANCISCO -- A former government lawyer on Wednesday said some federal regulation of computer security is inevitable if vendors and security researchers dont do a better job of policing themselves.

That prospect is a frightening one for vendors and security experts who remember the battles in the late 1980s and 1990s over governmental regulation of cryptography.

Speaking at Microsoft Corp.s Trusted Computing 2001 forum here, Michael ONeill, a partner at law form Preston, Gates & Ellis and the former general counsel at the Central Intelligence Agency, also took the security experts in attendance to task for irresponsible handling of vulnerabilities and exploits.

ONeills comments came just after Mozelle Thompson of the Federal Trade Commission said he doubted the government would get involved in regulating security any time soon.

Microsoft, for one, is spooked by the possibility of government intervention in the security community. Company officials concede, however, that it may become reality soon.

"If we as a security community dont clean up our act, someone will step in and clean it up for us," said Scott Culp, manager of the Microsoft Security Response Center in Redmond, Wash. "We really, really dont want to see that."

To avoid that scenario, Microsoft this week is trying to build support for an industry-backed effort to develop standards for vulnerability reporting and handling. Culp and others inside Microsoft believe that such a standard would cut down on the spread of exploit code and therefore reduce the number of attacks on the Internet.

The standard could include things such as prescribed processes for reporting vulnerabilities to vendors as well as requirements for vendors to respond in a timely manner.

But the effort is in its infancy. The process of forming a group to discuss a standard has yet to begin and Culp said he has no way of knowing how long the entire development effort could take.

As with any Microsoft effort, this one is not without its detractors. Several of the attendees at the conference questioned the companys motives and there has been much speculation that Microsoft would like to restrict the distribution of vulnerability reports to a select group of partners. Culp vehemently denied that accusation and said that such an effort would fail before it ever got off the ground.

"Thats absolutely untrue," Culp said of the reports of Microsofts intentions. "It wouldnt be accepted. We have no designs for a closed process. We know two things: theres a problem, and we dont have an answer."