Rating Security
Should the government enforce higher standards for tech vendors?
by Amit Asaravala
May 2002It's no surprise that in a recent Aberdeen Group study, CIOs and other technology executives ranked security as their number one investment priority for 2002. In February alone, system administrators scrambled to plug a major hole in SNMP-enabled devices; IT managers installed patches for Microsoft Internet Explorer; developers were warned about a buffer overflow error in Microsoft Visual Studio.Net; and hackers forced Buhrmann, the world's largest office products supplier, to reveal its financial results a day early after they broke into the company's Web site.
Microsoft, for one, is intensely aware of the need to build more secure products, as was made evident in Bill Gates's recent "Trustworthy Computing" memo to the company's 47,000 employees. But critics say the memo, and the resulting security training for Microsoft's developers, is too little too late. With bad software and hardware putting companies—and thus the economy—at risk for attack, self-regulation isn't enough. Many in the industry are now in favor of government involvement to help create and maintain security standards for technology products.
But can the government help? Is it fair to impose penalties on vendors who continue to distribute flawed technology? As we've learned from the United States Department of Justice (DOJ) investigation into Microsoft's alleged monopoly, the government's level of interest in investigating technology vendors often depends more on politics than technology. The DOJ began its investigation under the Clinton administration, but under the Bush administration it has dropped demands for a Microsoft breakup.
And do we really want more legislation from the same government that has proposed that a back door be installed in encryption products—a feature that would potentially do more harm than good for national security?
Instead of calling on the government to regulate security standards in hardware and software, we need to establish an independent organization that will apply ratings to software and hardware products. A single, universally accepted ratings organization—operating independently of any political or corporate entities—would lower the risk that many companies inadvertently assume when they purchase and deploy technology. The organization's ratings would be similar to those that the National Computer Security Center in the U.S. and the Information Technology Security and Certification Criteria in the U.K. provide for government evaluations of IT products. While some third-party testing labs do exist, they're often too expensive or too slow, or have ties to certain industry groups.
To test submitted products, the new organization would employ developers who no longer had ties to private-sector companies. The ratings could be given in several categories. For example, if a vendor submitted executables for an operating system, the organization would test the software against several standard exploits. A vendor that submitted its source code would have the opportunity to obtain (and advertise) a rating based on a more thorough evaluation. And because it's reasonable to expect that not all security holes will become evident during the testing process, vendors would also be rated on their responsiveness to exploits, in terms of how quickly they produced patches.
The submissions would be voluntary. Yet, market forces would encourage most vendors to obtain ratings anyway, as technology users would be more inclined to purchase products that have better security ratings.
If certain vendors continue to distribute flawed products, we must give technology buyers the means to identify those flaws and the option to purchase truly secure products. Corporations that keep using products with poor security ratings might see their insurance premiums rise to account for the risk.
Finally, the government should require public companies to report major software and hardware purchases in SEC filings. This would let investors decide how much risk they want to take on when purchasing shares of a company that buys questionable software. Companies that use products with poor security ratings might be pressured to migrate to more secure packages. And that, in turn, would encourage software and hardware vendors to build more security into their products if they want to remain competitive.
Amit is the editorial director of the New Architect Media Group and has been with the magazine since 1999. He has more than seven years of Internet development experience. You can reach him at [email protected].
