Tech companies open to security regulation

Although the technology industry still insists that market forces will lead to more secure software products, it admits that the government may need to step in under certain circumstances.

A report released today by the National Cyber Security Partnership said the Homeland Security Department "should examine whether tailored government action is necessary to increase security across the software development life cycle."

Specifically, the report said: "National security or critical infrastructure protection may require a greater level of security than the market will provide."

The group noted that any government action must not interfere with market innovation of security technologies.

An NCSP task force, co-chaired by security experts from Redmond, Wash.-based Microsoft Corp. and Islandia, N.Y.-based Computer Associates International Inc, prepared today's report. The NCSP is made up of public and private organizations, including the Business Software Alliance and the Information Technology Association of America.

"Software security is a serious, long-term, multifaceted problem that requires multiple solutions and the application of resources through the development life cycle," said co-chair Scott Charney, chief security strategist for Microsoft. "There is no silver bullet for making software secure."

The NCSP said it considers education and research to be important in improving cybersecurity. However, the report stated that government funding of security research has been lagging.

The 2002 Cybersecurity Research and Development Act authorized $903 million over five years for training programs and security R&D. According to the NCSP, only about $3 million has found its way into software research.

"The nation has at least a $30 billion problem [referring to the cost of virus attacks and other security problems] and is spending $3 million to research ways to solve it," the report said.

In addition, the report discussed security issues with commercial off-the-shelf software. In recent years, government agencies have shown increased willingness to buy such software because it is less expensive than custom-written software and can be deployed quickly.

The NCSP report said, "Although there is no significant evidence of third-party software being less or more vulnerable?users of third-party software must have some means of identifying and categorizing the trust level of the component they are about to use. The best means of doing this would be to demand that third-party software be developed using secure development processes, and be validated using security validation methods."

The group called on DHS to help identify, fund and encourage secure software development processes.