Feds take minimal role in patching holes in cyberspace
In the early 1800s, Prussian strategist Carl von Clausewitz wrote that even the simplest things are difficult to accomplish during war. Now, almost two centuries later, he would probably laugh at the truth of his statement: The United States has computers in just about every office and in most homes, yet even the simplest computer-security defense plans are proving difficult to implement.
Consider the relatively simple task of distributing software patches. These patches close up holes in software through which malicious hackers can seize control of other people's computers. The nation's cyber-defense czar, Richard Clarke, is pressing software companies to push such patches on their customers and to ensure that each hole is closed soon after it's discovered.
But that task isn't as easy as it sounds. Constant innovation by industry requires consumers to constantly tinker with security software. "It is not as easy as turning off the light switch," says Harris Miller, president of the Information Technology Association of America.
Assume that a critical hole is discovered in a software company's flagship product. Theoretically, the company can e-mail a patch to its customers, along with detailed instructions on how to apply the patch. Or the company could apply the patch itself, via the Internet. But even with the best instructions, a patch could cause more problems than it fixes. It could, for example, disable the provider company's other vital software programs. If that happens, "You may irrevocably harm your relationship with your customer," Miller said.
If the software company wants to avoid causing such additional problems, it could tailor the patch for each of its customers. But that would require the company to have intimate knowledge of each customer's computer networks, custom-designed software, and software purchased from rival software makers--information too intimate for the customer to divulge.
"A lot of individuals and organizations are paranoid about Microsoft," said Miller, who has worked with Clarke for several years on cyber-defense issues.
"Some people have suggested we push out patches a lot more," said Vint Cerf, a vice president at WorldCom Inc., a telecommunications giant. "It's an attractive idea, but I don't know how we go about making it work," he told technology executives and government officials at a December 12 conference organized by the ITAA.
The demand for better distribution of software patches comes from Clarke, who is using his office and title--adviser to President Bush on cybersecurity--to pressure industry officials into upgrading their software.
Patches are only one item on Clarke's checklist of cyber-security proposals, and they are by no means the most complex item. The others include getting Internet providers to monitor their networks for dangerous viruses and false Internet addresses, and getting large software companies to make their Internet servers capable of suppressing hacker attacks that result in service denials.
Clarke's checklist, however, does not include any threat of government intervention or imposition. In his speeches to industry, Clarke repeatedly says the government will rely on the free market to produce cybersecurity solutions.
Industry officials welcome this hands-off policy, as well as Clarke's promise to fix the government's flawed security practices. "Everyone would agree the government has a long way to go ... [but] the government is making the right steps," said Robert Holleyman, president of the Business Software Alliance, whose members include major software companies such as Microsoft Corp. A promising step, he said, is the increased pressure being put on the agencies by the security-conscious Office of Management and Budget.
There are many positive developments in the industry, say executives and government officials. For example, to deal with the software-patching problem, government officials are reviewing software that automatically patches holes and helps companies centralize and manage their myriad computer devices. They are also examining new software-design standards that could help many companies simplify the patching tasks.
Members of the industry, especially companies that develop anti-virus software, are developing and using many of these techniques. Microsoft is already upgrading security in its software because of marketplace pressure, said Steven Lipner, the company's director of security assurance. Senior managers are also working with Washington, he said, adding: "We're pretty supportive of the agenda [Clarke] set."
If the software industry fails to find solutions to its many security flaws, however, something new will have to be done, argues an administration official. "We will start putting pressure on these companies," he said.
One concern among executives is that trial lawyers may begin to sue companies on behalf of clients who are economically injured by computer-security flaws. That would be an unhelpful development, Miller said. Accountability is important, he said, but "there's always the issue of people trying to point blame" and thereby slowing innovation.
"The lion's share of what needs to be done [is that] consumers really need to meet the accountability tests," Holleyman said. "That's the most important issue."
But if no progress is made, "Dick Clarke and his team will do what it takes to get [industry's] cooperation," said the administration official. "It is too important to national security not to get this thing done."