Cybersecurity czar gets tough on responsibility

President Bush’s chief cybersecurity adviser yesterday expanded the administration’s concept of corporate responsibility, warning the IT industry that it is no longer acceptable to sell glitch-riddled software, and urged users to stop buying software that they know isn’t secure.

“Every day in this country there are companies suffering from damages and losses” that are the result of poorly engineered software, said Richard Clarke, chairman of the President’s Critical Infrastructure Protection Board. “The quality control obviously isn’t there,” he said, speaking at the annual Black Hat computer security conference.

Clarke’s comments were met with thunderous applause from a crowd of more than 1,500 hackers and IT security experts attending this year’s convention, the largest in its six-year history. As the country reels from a series of corporate corruption cases, Clarke called for the beginning of a new dialogue in the IT sector focused on corporate responsibility and transparency with respect to IT security.

Problems with software quality and security go beyond the failure of systems administrators to routinely update their systems with new patches, Clarke said. The patches themselves often have glitches that cause “unforeseen consequences” for companies when they install them, he said. As a result, many companies fall behind in patch deployment because they must first test the patches to see what additional problems they might cause.

“Rather than reject Bill Gates’ statement that he’s going to make security job No. 1, I welcome it,” said Clarke. “And I’m going to hold him to it,” he said, adding that other major software vendors should step forward with similar pledges.

Harris Miller, president of the Information Technology Association of America in Arlington, Va., said IT vendors have been moving aggressively on “baking in” rather than “painting on” security for a long time. However, “we are never going to have perfect software, any more than we have perfect buildings or perfect cars or perfect airplanes or any perfect products designed and built by humans,” Miller said. “What is necessary is for consumers to understand that upgrades and patches will continue, just as cars get recalled to fix problems in the original vehicle.”

But Clarke aimed his message at both sides of the supply and demand equation, particularly in the wireless access market. “Why is it that companies have sold [wireless] products that they know are not secure?” he said. “And why is it that companies have bought them? We all ought to shut them off until the technology gets better.”

Although Clarke blamed the government to a certain extent for allowing security awareness to flounder, he also blamed telecommunications companies, Internet service providers and cable companies for offering broadband connections with little or no mention of the inherent security vulnerabilities in such connections.

Tens of millions of people hook up to the Internet via a broadband connection, such as a cable modem, but only one service provider currently warns customers of the risks involved and the need for a firewall to protect their sensitive data, said Clarke.

“[Broadband companies] want to make it cheap for people to become vulnerable to be hacked,” said Clarke. “It’s like selling a car without a seat belt.” He urged ISPs to offer security options as part of a standard or premium subscription package.

“I think we have to play the role of Paul Revere in waking people up,” said Clarke. “I don’t think we can rely on the software companies to find their own vulnerabilities.”

But the government may soon be doing more than playing Paul Revere. As Clarke prepares to release on Sept. 18 the National Plan for Protecting Cyberspace, he also may expand to all federal agencies a new U.S. Department of Defence policy that requires all new IT purchases to be made from a list of independently certified product lines. “The government buys a lot of software,” said Clarke, referring to the US$20 billion budgeted for IT during the next three years. “That will create a market force that will drive security.”