Study: Hold Vendors Liable for Security Breaches

A new report by the National Academy of Sciences adds yet another voice to the chorus warning that the nation's information systems are poorly protected.

A new report issued Tuesday by the National Academy of Sciences adds yet another voice to the chorus warning that the nations information systems are poorly protected.

The authors of this study go further, however, and suggest that the government should consider holding software vendors liable for security breaches in their products.

The report concludes that much of the blame for the sorry state of security in corporate and government networks belongs to administrators and CIOs who fail to implement readily available technologies such as firewalls and intrusion-detection systems or follow industry best practices.

"Many security problems exist not because a fix is unknown but because some responsible party has not implemented a known fix," the report says.

But the authors also recommend that policy makers consider "steps that would increase the exposure of software and system vendors and system operators to liability for system breaches." The report does not detail any specific sanctions for such offenses.

In researching "Cybersecurity Today and Tomorrow: Pay Now or Pay Later," authors Herb Lin and Marjory Blumenthal looked back at several similar studies done by the Computer Science and Telecommunications Board to assess whether information security had evolved since their publication.

"The unfortunate reality is that relative to the magnitude of the threat, our ability and willingness to deal with threats has, on balance, changed for the worse," they write in their new report. The CSTB is part of the National Research Council, which is, in turn, a member of the National Academy of Sciences. "From an operational standpoint, cybersecurity today is far worse than what best practices can provide."

In addition to shouldering some of the blame for security breaches, the authors recommend that vendors develop better security interfaces for their products to simplify administration and conduct better testing of their products for security vulnerabilities.

Lin and Blumenthal also call for the more governmental funds for security research and development, a topic that has gotten some attention lately on Capitol Hill.