August 4, 2002 12:05 PM PDT
Fed plea: Stop security leaks
- Related Stories
Vigilante hacking touted as virus cureAugust 4, 2002
Old game machine gets hack trickAugust 2, 2002
Italian police arrest 14 in hacker probeAugust 2, 2002
Security pros create resource on flawsAugust 2, 2002
Hacking their imageAugust 2, 2002
Klez remains atop virus listsAugust 1, 2002
National security and the patent squeezeAugust 1, 2002
Security czar points finger of blameJuly 31, 2002
Additionally, federal officials said they would use the government's massive purchasing power to force developers to improve the security of their products.
While acknowledging that software makers continue to release buggy products, Richard Schaeffer, deputy director of the National Security Agency, stressed that publicizing a vulnerability without warning and before a patch has been created could potentially threaten U.S. computing systems.
"Responsible disclosure means not letting out information that could do harm to critical systems falling into the wrong hands," he said.
Schaeffer's comments echoed those of presidential cybersecurity adviser Richard Clarke, who spoke last week at the Black Hat Security Briefings here. Clarke told attendees that finding vulnerabilities in buggy software is important, but properly handling the disclosure is critical.
As Clarke did, Schaeffer also blasted the software industry for the large number of bugs in their applications. "The quality of the software that we are getting is terrible," he said.
Marcus Sachs, a member of Clarke's 16-person Office of Cyberspace Security, warned that the government will use its checkbook to ensure software makers improve their products.
"We, the federal government, have enormous purchasing power," he said. By demanding more secure software, the government can directly affect the quality of product, he added.
The debate over disclosing vulnerabilities has heated up as software security has become a high priority in government and industry. Security researchers who find vulnerabilities often use the information to embarrass companies and score public relations points for their own firms. Conversely, software makers frequently fail to find or disclose problems in a timely manner.
Early last week, for example, Hewlett-Packard threatened a security researcher with a lawsuit for releasing information about a flaw in Tru64, the company's high-end server software. HP backed off the threat Thursday.
While he didn't support such tactics, Sachs underscored the seriousness of releasing vulnerability information before a patch has been created.
"Microsoft is widely used in the critical infrastructure--more than we thought," Sachs said, stressing that publicized flaws that have not been corrected could damage government systems.
"The time (to deal with this) is now," he said. "We are past the point where we can keep talking about it."