Government should take the point on cybersecurity, experts say

Security experts today challenged Congress to do more to improve the quality of the nation's software and hardware.

"I need your help," author Bruce Schneier told a House Homeland Security subcommittee. "This is a political problem, not a technology problem. I would like to see government use its purchasing power to improve security."

Schneier, CTO of Counterpane Internet Security Inc. of Cupertino, Calif., and author of many books on cybersecurity, appeared before the Cybersecurity, Science and Research and Development Subcommittee. Also testifying were Richard Pethia, director of the CERT Coordination Center at Carnegie Mellon University and Alan Paller, director of research at the SANS Institute of Bethesda, Md.

The subcommittee was looking for advice on how to meet the challenge of computer and network security. The panelists were in what Schneier called "violent agreement" about the threats facing our information infrastructures.

Pethia and Paller agreed with Schneier's plea to leverage government buying power, saying that government requirements on IT acquisitions could go a long way toward improving the quality of commercial software. Paller said this process has already begun, and that the Energy Department is expected to announce soon a contract with Oracle Corp. in which the company will be required to certify the security of its software configuration.

Schneier also said that liabilities should be imposed on IT users who implement unsecured systems.

"Liabilities will instantly improve security, because it will make it in their best interest for people to secure their systems," Schneier said. "Software security costs money, and if we don't make in their own best interests to spend it, they won't."

Security problems are growing faster than they can be addressed, the panelists said. Despite increased spending and attention by companies and government agencies, "the number of attacks is going up and the damage is increasing," Pethia said.

"We are in the middle of an arms race," Paller said. "This is one we are going to be fighting for a long time."

The first step in solving the problem is to fix the low-hanging fruit, the handful of known vulnerabilities that account for the majority of security breaches, the panelists said.

Properly patching and configuring known problems will raise the bar for hackers and buy time for researchers and administrators to tackle thornier problems. That will require more money for research and for training IT security professionals.

"Appropriations are tiny" for R&D and training, Paller said.

"You're preaching to the choir," said Rep. Sherwood Boehlert (R-N.Y.), who sponsored a bill to strengthen government R&D investments. "We're all going to push for more money."

William Jackson writes for Government Computer News.