Her boss says things like: “We know how to build systems that never fail.” Her company puts the word “unbreakable” in bold red letters in the centre of its print advertising. So Oracle’s Chief Security Officer could be nervous.
But Mary Ann Davidson doesn’t show it. In fact, she has time left over from her duties to advise the rest of the IT industry on its security practices – and failings. Maybe it’s her background as a civil engineer in a world of software engineers, or her spell as an officer in the U.S. Navy, but Davidson sharpens the focus.
Speaking in San Diego recently, she gestured toward the nearby Coronado Bridge. “I love that bridge,” she said. “It’s a beautiful work of engineering and it’s very graceful, but I bet none of you ever thought, ‘I wonder if the bridge is going to be up today? I hope it’s going to be there.’ Think about what would happen if bridges were designed by software vendors.”
At the heart of the problem, she said, is the fact that vendors ignore a simple truth: “The software industry does not yet accept that it is infrastructure, and if you’re building infrastructure, it’s got to work all the time. It’s got to be as secure as that bridge.”
While many people quietly wonder what commitment business really has to defeating buggy software and the virus plague, Davidson says what she thinks. “Venture capitalists would rather fund band-aid companies than vaccine companies,” she said. “Think about this. It’s a licence to print money. ‘I’m going to continue to give you a band-aid for your problem. I don’t really want to cure it. I just want you to keep using band-aids.'”
Like many others, she believes that error-prone manual programming underlies many software woes. “The real problem is, we need to write better software,” she said.
Like many others, she believes the right automated tools could correct the vulnerabilities that crop up, predictably, in every batch of code. But she goes one step further when she says, “There is a big security hole because good practice isn’t automated, and venture capitalists won’t fund this.”
Davidson also believes the public sector has a role to play in correcting the situation. “This is one area where government has the money for research. They could fund development of these tools and give them to industry and say, ‘Look, we’re going to start requiring you to eliminate standard code vulnerabilities and we’re going to give you the tools to do it.'”
Davidson said governments can cure market failures. “One thing they can do is continue to make security a purchasing criteria”, she said, citing the U.S. Defence Department’s requirement for software vendors to submit their products to stringent security evaluations. (What she did not mention was her role in bringing that about, not least by telling the House Armed Services Committee that it was National Cyber Security Partnership).
If necessary, she said – if the industry continues to drag its feet on building better software – governments will legislate. “And the corollary to that is, if you don’t get your act together, you deserve it,” she said.
In the U.S., the National Cyber Security Partnership (NCSP), a collection of IT industry, business and academic groups, has been working on the foundations of a more secure infrastructure. Some of the recommendations are predictable – improved education, best practices for software design, and principles for patch management. Others are practical, if long overdue – investment in the code automation tools Davidson talked about, guidelines for secure network architecture, and improved “common criteria”, the international benchmarking process for secure systems.
Some of the recommendations get right to the point – a network of early warning networks to protect critical infrastructure, and, perhaps most important, taking IT security out of the server room and into the boardroom. In a recommendation that echoes strict new corporate financial guidelines in the United States, the NCSP wrote, “Although information security is often viewed as a technical issue, it is also a governance challenge that involves risk management, reporting and accountability. As such, it requires the active engagement of executive management and boards of directors across all industry sectors and among non-profit organizations and educational institutions.”
If IT companies do feel the heavy hand of the law, they shouldn’t be surprised. As Mary Ann Davidson said, “Government can do a lot, but industry has a huge accountability to start building software that is worthy of the name ‘critical infrastructure.'”
Richard Bray (email@example.com) is an Ottawa-based freelance journalist specializing in technology and security issues.