Posted on 12/11/2003 5:56:27 PM PST by Myrddin
Legislation that would require publicly traded companies to conduct independent security audits and detail the results in their annual reports could be revived as early as next spring if a special vendor task force fails to produce a viable alternative.
That was the message this week from Rep. Adam Putnam (R-Fla.) after the release of his subcommittee's annual report on government cybersecurity efforts (see story). Putnam, chairman of the House Government Reform Subcommittee on Technology, failed in his attempt to introduce the legislation last month and instead formed the task force.
Most federal agencies received low grades from the subcommittee for failing to protect their computer networks from hackers and other cybercriminals. In a detailed statement after the report was released Tuesday, Putnam blamed the poor state of cybersecurity equally on government and corporate users and on the IT vendor community.
"While some burden is on the shoulders of the user, I feel strongly that a significant burden falls on the shoulders of the hardware, software, operating system manufacturers and ISPs," he said. "These entities until recently have paid insufficient attention to educating consumers as to the importance of security. While billions of dollars have been spent to advertise the benefits of products, such as speed and ease of use, the security component has been neglected."
Putnam also called for the software developer community to deliver software that is "secure out of the box," with all security settings turned on by default. And he wants the vendor community to improve the quality of products being sold in the marketplace, with a specific focus on built-in security features and patch management. Legislation may be required to make automated patch distribution available to all users of all products, he said.
"While software is certainly complicated, with millions of lines of code, there are just some basics that clearly aren't being addressed," he said, citing estimates by the National Institute of Standards and Technology that software bugs and errors cost the U.S. economy $59.5 billion per year. "If the industry doesn't act, Congress will be forced to."
Last month, Putnam tabled the Corporate Information Security Accountability Act of 2003, after, in his words, "numerous companies and associations approached me and asked if we, Congress, would provide the private sector a chance to do this on their own without government regulation"(see story).
As a result, Putnam formed the Corporate Information Security Working Group, including representatives from the Information Technology Association of America, the Business Software Alliance, the Business Roundtable, the SANS Institute and the U.S. Chamber of Commerce. So far, the members of the working group have met twice in an effort to come up with a set of information security best practices and guiding principles that could be adopted voluntarily by the private sector.
"I'm hopeful that we can reach a successful conclusion by later winter or early spring," said Putnam.
"The time for action is now. The time for talk has passed," said a senior aide to Putnam. "It's time to coalesce around an action plan, and all of the people who have accountability need to be a part of that plan."
Speaking Dec. 3 at the inaugural U.S. Department of Homeland Security's National Cybersecurity Summit in Palo Alto, Calif., Amit Yoran, director of the National Cybersecurity Division at the DHS, acknowledged that there are serious "questions we face in software reliability."
Art Coviello, president and CEO of RSA Security Inc. in Bedford, Mass., said in an interview on that same day that the "obligation" already exists in the vendor community to ensure the security and integrity of the Internet, but he argued that regulation isn't needed.
"Companies aren't going to use the Internet if it's unsafe," Coviello said. "It's incumbent upon the technology companies to start that process."
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.