Tech Companies Ask U.S. to Regulate Cyber Security
qtp writes "Wired reports that a group called the National Cyber Security Partnership, which consists of 'leading software companies' including Microsoft and Computer Associates and industry organisations such as the BSA, has asked the Department of Homeland Security to regulate what they call 'Cyber Security'. Representatives from Microsoft, Computer Associates, and the BSA headed the Security Across the Software Development Cycle Task Force that submitted this report to the Bush administration today. (For all of you who dread reading 123 page reports, there is a three page summary available as well. The Washington Post, Forbes, and Other Sources are covering this story as well. I hope this is just another [late] April Fools Day joke, but I'm afraid that this looks too scary to be real."
Back in the early 1900s, there used to be a ton of independent phone companies. In spite of using different voltages, ringing systems, etc, they interoperated pretty darned well. But AT&T wantd to be big and was buying them up, and those who wouldn't sell were effectively isolated, the main excuses being interoperability problems. The stink began getting stronger, and eventually AT&T got the government to regulate it as a utility, so it could remain intact and simply be THE phone company. Only the ignorant think regulation was imposed on AT it was their idea.
This smells to me of the same process. Being sued for security holes would be much more effective at increasing security than some hare-brained government regulation scheme. After having thought up all those EULAs which disclaim all responsibility, and blustered about Linux having no-one responsible, this is just another big corporate scheme to maintain their power and squash the small guys, and place the blame elsewhere.
The proper way to improve security is invalidate all those EULA disclaimers. A few big lawsuits with billions in damage verdicts would do far more to focus Microsoft's attention than any government regulatory body.
Infuriate left and right
The process sub-group will work with major software vendors and key critical infrastructure customer organizations to encourage and aid vendors in their adoption of the recommended low defect, higher security-oriented practices and processes.
Wouldnt it just be easier to pass laws making software vendors responsible for the bugs that they produce instead of spending our tax money to provide a shelter for insecure code?
I can see the next big M$ lawsuit...
Plaintiff: Their buggy code cost us millions.
M$: But we follow the homeland security software development model.
Judge: So the software must be good. Perhaps the plaintiff was trying to do something illegal?
Plaintiff: Shit... *sigh*
Sure, Microsoft and the BSA aren't the bosom buddies of most Slashdot readers. And for good reason. However, a quick look through the 3-page summary document revealed what seemed to be a reasonable plan of action, rather than a scheme for total world domination.
Of course, if it turns out that the outcome of the regulation process is Microsoft-controlled security protocols and procedures, then there's something to beef about. However, at this early stage I see nothing more than an attempt to codify a national stance on computer security. Accordingly, I'm going to leave my tinfoil hat in its box for the moment.
Tubal-Cain smokes the white owl.
Quote from the Washingtonpost.com article:
"[It] is possible that national security or critical infrastructure protection may require a greater level of security than the market will provide," it said. "Any such gap should be filled by appropriate and tailored government action that interferes with market innovation on security as little as possible."
In other words, "The legal climate is such that we are very likey to start getting sued for coding sloppy, insecure software. Rather than properly staffing to test our code, we'd rather have the taxpayers pay for this. This a.) saves us money and b.) puts the responsibility on someone other than us if there is a security problem."
Do not fold, spindle or mutilate.