Software Security Warning Issued

Homeland security officials came to Silicon Valley on Wednesday and told technology executives that if they couldn’t do a better job of protecting computer networks from attacks, Washington would be likely to impose regulations on them.

Speaking at a federal cyber-security meeting in Santa Clara, Calif., Homeland Security Secretary Tom Ridge said that a few lines of malicious code could do as much damage “as a handful of bombs.” But he said he preferred to let technology companies take the lead because 85% of the country’s Internet infrastructure was in private hands.

Then Assistant Secretary Robert Liscouski warned that if the industry failed to do a convincing job, “there already are a lot of people out there ready to legislate how you do your work.”

In the meantime, the officials said they would continue to rely on the private sector to voluntarily implement key pieces of a national security plan unveiled earlier this year.

Several business groups announced initiatives to give the government more information about how well-equipped private companies were to defend against electronic attacks. They also pledged to step up efforts to convince companies of the need to arm themselves.

Several task forces staffed by federal officials and private-sector chief executives convened at the National Cyber Security Summit, the first of its kind.

They began work on campaigns to increase consumer and business awareness of security issues, improve a national early-warning system to spread word of attacks, and find ways to bolster software so that it is less vulnerable to an assault.

In addition, the Silicon Valley lobbying group TechNet published a lengthy scorecard to help companies evaluate their preparedness, and the Information Technology Assn. of America said it would work with USC’s Center for Telecom Management to survey companies on the state of their security and track their progress.

Federal officials concede the challenges are daunting. The frequency of security breaches is increasing, and hackers are taking advantage of vulnerabilities faster than ever.

Liscouski and Amit Yoran, director of the national cyber-security division, told the 350 attendees that new laws could be forthcoming if companies failed to act before a new round of attacks similar to the recent Blaster worm or SoBig virus, which overpowered e-mail programs and crashed computer systems.

Greater regulation isn’t off the table, Liscouski said. The National Academy of Sciences already has called for more regulation, including civil liability for software vendors whose products are poorly designed. That’s anathema for big companies such as Microsoft Corp.

But unless such laws are passed, skeptics said, most CEOs would be reluctant to invest lots of money on computer security, especially when they can’t be sure that their rivals are spending, said Bruce Schneier, chief technological officer at Counterpane Internet Security Inc. in Cupertino, Calif.

“[Former cyber-security chief] Richard Clarke tried this same strategy two years ago. It didn’t do any good,” Schneier said. “Unfortunately, asking nicely doesn’t work.”