Companies should certify products' security

Security experts have challenged Congress to do more to improve the quality of the nation's software and hardware. "This is a political problem, not a technology problem," Bruce Schneier told a House Homeland Security subcommittee. "I would like to see government use its purchasing power to improve security." Schneier, chief technology officer of Counterpane Internet Security Inc. of Cupertino, Calif., and author of many books on cybersecurity, appeared before the subcommittee on cybersecurity, science and research and development. The subcommittee was looking for advice on how to meet the challenge of computer and network security. Alan Paller, director of research at the SANS Institute of Bethesda, Md., agreed with Schneier's plea that the government use its buying power, telling lawmakers that government requirements on IT acquisitions could help improve the quality of commercial software. Paller said this process has begun, and that the Energy Department is expected to announce soon a contract with Oracle Corp. of Redwood Shores, Calif.,, in which the company will be required to certify the security of its software configuration. Schneier also said that liabilities should be imposed on IT users who implement unsecured systems.