Don't leave cybersecurity to the private sector, US experts warn

US cybersecurity is too important to leave in the hands of the private sector in the hope that it will lead to more secure...

US cybersecurity is too important to leave in the hands of the private sector in the hope that it will lead to more secure software, a commentator and a cybersecurity analyst at the Gartner IT Security Summit yesterday.

"Isn't the threat too great to leave it in the hands of the private sector and count on them to do it themselves?" said Bill Press, a liberal commentator on MSNBC and columnist for the Chicago Tribune.

During a panel discussion about the possibility of government creating cybersecurity regulations, Press and Rich Mogull, a research director for Gartner Research, both advocated government taking a more active role.

While others on the panel suggested the US government could affect cybersecurity by using its huge purchasing power to influence companies, Press questioned why software companies are not sued for selling products with security flaws.

Without laws allowing software firms to be sued, "you are rewarding people for selling broken products", Press added, leaving buyers to pay the bill.

"If I'm a pharmaceutical company, and I put out a bad drug, my [butt] is going to get sued," Press said. "Why no liability [laws] for software manufacturers?"

Others suggested that defining software security in a law would be nearly impossible. Writing software is more of an art than an engineering science, said John Pescatore, vice president and research fellow at Gartner Research.

Instead of government regulations, software buyers should demand better products, he said. In all but the desktop market, where Microsoft dominates, competition over the past couple of years has helped improve software security, he added.

"If you want to buy crap, the vendors will sell you crap. You control it with your marketplace."

Fred Barnes, executive editor of the conservative Weekly Standard and cohost of Fox News' Beltway Boys, asked the panel why more cybersecurity legislation has not been considered in the US Congress.

"There's a fear of stifling innovation," answered Roger Cressey, president of Good Harbor Consulting and former counterterrorism expert at the White House. "Innovation in the software industry is measured in a matter of months, not a matter of years."

Barnes noted that some government and private cybersecurity experts have been warning of the possibility of a "digital Pearl Harbour", a massive attack on US IT assets, for several years. He asked how likely such a scenario was.

The threat cannot be overstated, answered Bob Dix, staff director for the technology and information policy subcommittee of the House Government Reform Committee. "The abilities of the bad guys get better every day," he said.

The US is not ready for a concerted cyberattack, but the government is heading in the right direction, Cressey said. When Cressey was at the White House, he was concerned about a so-called "swarming attack" in which a cyber attack was coupled with a physical attack.

Cressey predicted national legislation would follow a major cyber outage, and Congress would legislate with "a hammer instead of a scalpel".

"If we ever truly have a major cyber event ... then you're going to see Congress legislate," Cressey said. "They will legislate because of a public outcry. It will be bad legislation."

Gartner's Pescatore predicted that legislation focused on protecting critical infrastructure would, eventually, be passed. "We should all be willing to pay more for electricity and for internet access," he said.

But Dix, from the House Government Reform Committee, said he hoped legislation will not be necessary. His subcommittee's chairman Adam Putnam floated a draft bill in late 2003 that would have required public companies to report their cybersecurity efforts to the US Securities and Exchange Commission.

However, Dix said he hoped the subcommittee's efforts to raise awareness about cybersecurity will encourage company chief executives to take the issue seriously.

Press suggested that the software industry should be proactive and work with Congress now to pass legislation the industry can live with.

he questioned whether software firms would build in strong security mechanisms without a government prod.

"I don't think you guys are living in the real world, to be blunt," he said to panellists advocating a marketplace approach. "We have a Clean Air Act because [manufacturing] plants aren't going to clean up the air on their own."

Grant Gross writes for IDG News Service

Read more on Hackers and cybercrime prevention