Companies on the hook for security

The National Academy of Sciences is recommending that policy-makers create laws that would hold companies accountable for security breaches resulting from vulnerable products.

In a report released last week, titled "Cybersecurity Today and Tomorrow: Pay Now or Pay Later," NAS researchers urged lawmakers to take "steps that would increase the exposure of software and system vendors and system operators to liability for system breaches."

The researchers also called for laws that would require software makers to report security problems.

Currently, when a malicious hacker exploits a security flaw in a certain software program, a series of finger-pointing ensues, placing blame on everyone from the cracker to the researcher who discovered the problem. Usually, it's only the hacker who faces court action. The software maker, at worst, typically suffers from bad press.

In addition, companies often deny that their software has been exploited, saying they haven't heard any direct reports of security problems. Some claim a flaw discovered by a researcher is only theoretical and couldn't be duplicated in the real world.

But as security concerns mount in the wake of the Sept. 11 attacks, more companies are evaluating the safety of their products and focusing on trust.

Just last week, Microsoft Chairman Bill Gates urged his workers to make security the company's "highest priority." In the past, the company focused on adding new features to its software, sometimes at the expense of security. However, in an e-mail sent to Microsoft employees, Gates said the company should work on making its software "so fundamentally secure that customers never even worry about it."