See your link here
Can the feds buy their way to better cyber security?
2 comments- TAGS:alan paller, cyber, cybersecurity, federal government, programming errors, security, software
- IT TOPICS:Government & Regulation, Security, Security Hardware & Software
Among the suggestions for improving federal cyber security that were proposed at a hearing by the Senate Homeland Security Committee Tuesday, one that appeared to garner a fair amount of interest from lawmakers had to do with the use of government buying power to boost security.
The suggestion from Alan Paller, director of research at the Bethesda, Md.-based SANS Institute is one that is shared by several others within government and outside it as well. The basic premise is that the government which purchases over $70 billion worth of IT products a year can use its enormous buying power to force vendors to make their products more secure.
Most often, cyber criminals and foreign adversaries are able to penetrate systems and networks because of common programming errors and insecure configuration issues that are pretty well understood at this point but which vendors keep repeating all the same in their products. So getting them to fix these issues before they are permitted to sell into government is a surefire way to improve security and reduce costs, says Paller.
An example of where this approach has worked is the U.S. Air Force which has deployed over 500,000 desktops with a secure, standard Windows desktop configuration, Paller says. "Dozens of customers had asked Microsoft for more secure configurations and all were refused or were asked to pay large amounts of money for consulting services to develop customized settings," Paller wrote in his testimony for the Senate hearing.
But because the Air Force was about to spend $500 million on Microsoft software it was able to tell Microsoft what it wanted from a security standpoint and get the vendor to bake it into their products. The result has been much more secure software and substantially lower procurement and operational costs, for the Air Force he says. The Air Force model is now being replicated across other agencies as well and there's no reason why the same approach shouldn't be used for all technology procurement by the U.S. government. The Air Force procurement has also led Microsoft to bake similar security into the products it sells to many other buyers, Paller says.
The idea of using procurement as leverage for better security appeared to appeal to Sen. Susan Collins (R-Maine) who is the ranking member of the Senate Homeland Security Committee and Sen. Joe Lieberman (Ind-Conn.) who is its chair. While Lieberman found the testimony "riveting", Collins found it "very compelling" that a federal official would have to literally beg software vendors such as Microsoft to provide more secure software. She sought specific recommendations on how federal purchasing power could be used to get vendors to incorporate more security into their products and implied that this is a topic she will be looking into going forward.
That is something that a lot of people are likely going to want no doubt. As security consultant David Rice says in his book Geekonomics, software products in general have had largely detectable and preventable security defects for a long time now. Yet vendors have done little to address the problems, because they have had very little incentive to do so, he says. Unlike the auto industry, there is no formal safety rating system in the software industry which consumers can use when making purchasing decisions. There also isn't a whole lot of choice actually. So consumers and business by and large have had to live with whatever it is the vendors have given them, and then forced to patch and pray later. It's the reason why some are now advocating that the government step in and use its purchasing power as a weapon to get vendors to make more secure products. The question is will it work?
Print
Email this
Digg this
