Securing Perimeter

Feds consider ways to make ISPs, developers more accountable.

Government officials preparing the federal cyber-security plan due out next month are considering ways of exerting more influence on Internet security that could impact the software and security industries.

The biggest change being discussed would require government agencies to purchase hardware and software that have been certified under the National Institute of Standards and Technologys National Information Assurance Plan standard.

The Department of Defense requires NIAP certification for all technology purchases, and if the entire federal government follows suit, it could shut out all but a few vendors from the federal procurement process.

"Were considering this as a way to use market forces to get vendors to pay attention to the security of their products," said Richard Clarke, chairman of President Bushs Critical Infrastructure Protection Board, at the Black Hat Briefings security conference here last week. "Were trying not to go down the route of legislation."

Clarke conceded that the rigorous NIAP certification process may be too long and too expensive for many vendors.

Also, there is no expedited certification process for vendors that have already had one of their products certified, something that needs to be changed, Clarke said.

The national cyber-security strategy, due to be unveiled Sept. 18 in Silicon Valley, will include recommendations to safeguard the data in industries from banking and finance to chemical manufacturing.

But Clarke said much of the initiative boils down to one thing: Software vendors need to do a better job writing secure code, and network operators need to be more diligent in protecting their networks.