There were two interesting developments last month in the realm of information security. One was the release of a new report by the National Academy of Sciences; the other was the apparent Saul-on-the-road-to-Tarsus conversion of Bill Gates to a belief in the paramount importance of security.
The NAS report, “Cybersecurity Today and Tomorrow: Pay Now or Pay Later,” observes that security is often neglected because it costs money. But the most attention-getting recommendation is for policy-makers to consider “legislative responses,” including making vendors liable for security breaches.
This recommendation is going to mean a serious change in the way we have approached vendor accountability. It also raises many questions about how such legislation will work. Assignment of liability depends on shared assumptions about what constitutes adequate security efforts and on whom the burden of making those efforts rests. Currently, the security burden lies with the consumer to keep up with patches, but that has become an overwhelming task. Since it is less costly and less disruptive to write secure software upfront than it is to clean up thousands of systems later, the bulk of the burden should lie with the vendor.
Unfortunately, under current law, software vendors apparently have little motivation to assume that burden. Consider the buffer overflow. Weve known about it since the dawn of programming. Therefore, its reasonable to state that vendors that release software containing buffer overflows are guilty not only of sloppy programming but also of willfully disregarding security. Grounds for a lawsuit, then? Maybe, but only if you can show that you sustained some level of damage. Still, imagine the consequences if hundreds of angry corporate customers joined in a class action suit over, say, bug-ridden Web server software. Im astonished this hasnt happened yet.
Maybe such a nightmare helped propel Bill Gates into sending his security memo. Now Microsoft will have to walk the talk, starting by changing development practices and accountability. Ive said it here before, and Ill say it again: Bill, security has to be baked in, not painted on. Get cookin.
Jody C. Patilla, a security consultant, can be reached at jcp@cluestickconsulting.com.
