February 16, 2005 8:20 PM PST

Time to regulate the software industry?

Related Stories

Password imperfect

December 9, 2004

Year in review: Insecure about security

January 12, 2004

Privacy expert monitors issue with a keen eye

October 12, 2000
SAN FRANCISCO--A panel of security experts on Wednesday debated the merits of regulating the software industry as a way to curtail software flaws--and hence reduce the volume of virus attacks.

With software flaws serving as the open door to viruses and worms, a panel of industry experts at the RSA Conference here pondered whether it's time to regulate software companies. The experts were mixed on the effectiveness of such a plan and whether it could be undertaken without crimping innovation.

"The issue is not to regulate or not," said Harris Miller, president of the Information Technology Association of America. "Our industry is all about innovation, and my concern with regulation is it's often the enemy of innovation."

In that same vein, Rick White, chief executive of technology advocacy group TechNet, said the industry should come together and develop guidelines for best practices on developing software with minimal flaws, rather than imposing regulations.

"Congress will never solve the problem as well as the people who work in the industry," said White, a former congressman from Washington state.

But other panelists were not as sure.

Dick Clarke, chairman of Good Harbor Consulting and former presidential special adviser on cybersecurity, noted that efforts to have industries develop guidelines and follow through have failed in the past. For instance, Internet service providers did not adhere to self-imposed principles, even after Michael Powell, head of the Federal Communications Commission, threatened to regulate their industry if they did not abide by those guidelines, Clarke said.

"Powell bluffed them. They knew it, and now he is leaving office," Clarke said.

Other panelists, such as encryption expert and author Bruce Schneier, also called for more action in prompting software vendors to vet through their code before releasing it to the market.

"If we make it in their best interest to do this, then it will happen. You need to find a set of financial incentives," Schneier said. "Regulations would increase the cost of not doing security, and that would increase security (testing)."

Companies that take the time to test the security of their software before releasing it are at a disadvantage because of higher costs and potential late arrival to the market, he said.

Additional financial incentives may come from customers demanding a certain level of security testing from a vendor, before agreeing to sign a contract to purchase their products, Schneier said.

In offering a post-Sept. 11, 2001, warning, Clarke said: "Regulation is neither good nor bad...but the industry should bear this in mind. After we have an incident, regulations will be much worse."

16 comments

Join the conversation!
Add your comment
Here is a novel idea!!!!!!!!!
I think it is nessesary to hand down long prison terms to those criminals that exploit computer programs. Instead of rewarding them when they write viruses/trojans, make it a lot less profitable for them. I have noticed quite a few individuals that have brought entire networks to their knees with malicious code. Only to be offered a position with a software firm making very good money after their short stints in prison.
An even better idea would be to put them in an arena with their victims and have a no-holds-barred deathmatch where the criminal virus/trojan writer is given a keyboard & mouse to defend themselves against their victims armed with guns & knives.
Lest we forget that they are simple CRIMINALS that should be dealt with as such.
It just doesn't make any sense.
Its kind of like hiring convicted rapists to do an OB/GYN's job. These criminals are using the system against us!
Enough already!
Posted by (1 comment )
Reply Link Flag
re:Here a novel idea!!!!!
Have a rating system for software.
How easily they are exploited.
How often they fail to live up to their marketing.
Basically use a Consumer Report style system. Have some reputable firm or person evaluate software. The leave the market to decide whether or not the software is worth the problems it has. Well, we already know that the market will except shoddy software, as we are attacked often by virus, trojans, and spyware.

Use this analogy:

We don't penalize the people who smoke and cause second hand smoke but the manufactures of tabacco products. They are the bad one because they promote their products knowing the dangers. Yet we want to penalize people who write virus, trojans, and such even though often software developers (companies) know their software will most likely be succeptable to bugs, virus, trojans and such.

Set standards and enforce them and developers will develope well designed software. Leave it to market forces and in the US the cheapest will win out everytime. Otherwise Wal-mart and such would be out of business already.
Posted by wrwjpn (113 comments )
Link Flag
Regulation no, Accountability yes
I do think regulation will stifle innovation but I see no reason why a company should not be held accountable for their software. Just about every other product you by the manufacturer can be held liable for a defective product. Why is this not more prevalent in the software industry? If I download a piece or free code or software thats one thing, but if I pay $250 for an OS or Office suite that claims it can do X Y Z and doesnt, shouldnt that company be held responsible? Heck it is almost impossible to even return a poorly written piece of software once you open the box which is like testing driving a car and then finding out your obligated to buy it.
Posted by Buzz_Friendly (74 comments )
Reply Link Flag
Regulation breeds incompetent monopolistic companies
Regulation has shown its value in the airline and other industries already.

It usually creates a group of "fat cats" with connections to the regulators and the industry becomes incapable of innovation or fair competition.
Posted by EdShaffer (19 comments )
Reply Link Flag
W-F AND OMG
Regulate what?! The idea of regulation implies that regulators
be experts and have the ability to and knowledge to back it up.
That means they would supposedly have to have more
knowledge than the developer, wheter it be IBM, Microsoft, HP,
Apple, Sun or you and I.

The reality of this farce is simply an excuse to create another
witch-hunt control mechanism. Who is really behind this
proposal. I mean where the f--k did it come from?
Posted by Thomas, David (1947 comments )
Reply Link Flag
Let's look at AT&T...
Before the breakup, you had black, desktop, clunky rotary-dial phones. If AT&T had not been broken up, yuou would still have these. Only because of the breakup of the monopoly do you have cool new phones and even cell phones. Monopolies are content to extract their revenue from captive customers from their already sunk costs.

They're not going to put more money into something where they can already derive most of the revenue. Why spend money when you're not going to really see any return? Look at IE. Until FireFox, MS had 90%+ of the market. Why bother with improvements?
Posted by ordaj (338 comments )
Link Flag
If the Software is Bad Don't Use It.
The idea of regulation is beyond that of sanity. I mean, this
article is talking about regulating how some one writes code.

We have software reviews, and multiple providers. We have
contracts and license agreements to protected the licensees,
licensors, developers, and contractors. We have software
reviews. We have design methodologies and principles.

If you know the software you are using is a problem, IT HAS TO
BE THE MOST DAMNDEST, STUPID THING TO TRY AND CREATE A
RULE TO TELL THE BAD SOFTWARE VENDOR TO MAKE IT BETTER.

USE ANOTHER VENDOR or DEVELOP IT YOURSELF.
Posted by Thomas, David (1947 comments )
Reply Link Flag
The easiest way to handle this...
The best, easiest and surest way to help software and hardware developers ensure that their products are secure is to fine them for every flaw that is found.

For example after a company releases a new product or an update to one they are allowed two flaws (nothing in this world is perfect and I think two is acceptable) after the first two they are fined $1,000,000 for each additional flaw up to ten. After ten the fine is raised to $5,000,000 each up to fifteen. After fifteen the fine is raised to $50,000,000 for each flaw.

This is easy to keep track of and it is easy to manage. It is also a sure way to get comanies to secure their software. Any time you start taking money out of greedy corporate profits they will do something about it.

This will not hurt innovation it will only help ensure that software and hardware is secure.

Robert
Posted by (336 comments )
Reply Link Flag
hmm
First I believe a good lawayer could argue that your fines are unconstitutional.

Second, with current languages and size of programs, you can't build a program with only two flaws.

Third, it is anti-competitive because you would put everybody out of business and stop anybody trying to start one out of fear they would never make any money due to large fines. You would also stifle innovation because nobody would want to risk adding features when it may cause huge liabilities.
Posted by System Tyrant (1453 comments )
Link Flag
regulation
Business now relys on necessity of computers and the internet. To Regulate is to suggest enforcement of the world. Preditors will always exist and vulnerablity will not be removed completely, only reduced. Software can always be broken. Just by its very definition. Look it up in Webster Dictionary. Would you build a 10 million dollar structure and not install fire protection? Hardware exists that will instantly take you to a time before any issues existed. Local bus control redefines protection and creates a time machine encapsulation that is answer to hassle free operations. Zero down time. Hardware. We use it and cannot be broke by software. software is necessary evil but Hardware protection against software seems to be only regulation people should be made aware of. OEM won't tell us that because it would hault the current money machine. Fear and software.

TK
Posted by (7 comments )
Reply Link Flag
King Canute
So, King Canute, being outrageously flattered by his advisors, tried to command the tide - he got wet feet.

Trying to legistlate code quality will have similar results. There are some things which are not going to work - producing millions of lines of fault free code is one of them.

But the problem isn't just writing a = b + c; when you mean a = b - c; It's the high level architectural design failures (not faults - just things you didn't think of) and the low-level design failures (e.g. not catering for a user pressing every key on their keyboard, in sequence, 5 times, after a program hangs).

We've had cars for over a hundred years & there isn't a car can't be stolen. We've had banks for centuries and they can still be robbed. Why expect totally secure software after a few decades ?

Q. If M$ made a version of Windows that was KNOWN FOR A FACT to be 100% secure, would you buy it.....if it cost $5,000 ? How much EXTRA are you prepared to pay for security ?

Perhaps we could improve robsutness of security features by
a. diverting effort from developing new features to working on security - but who'd buy a product with no new features.
b. more patches & service packs with longer intervals between complete new releases - but that doesn't make money.
c. More effort to have a robust kernel - but that may limit the ability to add new features.
d. Have a common set of standards for pulic onsine security, with a ratings system to identify who best meets those standards, and having more competition & and some way of resolving responsibility when 2 products from totally different companies interact to cause a breach - to decide who is responsible. My choice, by a hairs breadth.

Or, we could just keep demanding better & more secure software as the industry develops & keep educating users, not to leave themselves open to breahes (there are 3 wireless networks down my street, that my wireless connection detects - only 1 is secure. I've sent a note to the HOA to remind people to lock their networks).
Posted by (409 comments )
Reply Link Flag
The problem isn't the software...
Software regulation is not about jail terms or making people pay fines for writing malware, viruses and the like. It's about tightening the reigns on how applications are written. Microsoft needs to make it more difficult to have an application startup automatically with Windows. We are all extremely tired of every single software manufacturer deciding that their software is important to load with Windows. Microsoft should implement registration system that will require software developers to register with in order to create an entry in the Windows registry. Of course it will be hacked no matter how good the encryption methods, but at least normal software developers will be unable to start their crapware automatically.
Posted by (2 comments )
Reply Link Flag
No Regulation, but certification & comparison
I don't feel that government regulation would greatly improve software, although it would push the price up significantly. Government regulations tend to adapt to markets over the course of decades, where as software can change drastically in year.

Also, software isn't a one size fits all product. How would you write a regulation that was equally sensible for a financial program, and a video game, and a quantum chemistry code, and a hardware device driver, and an air traffic control system, and a compiler, etc., etc....?

I am in favor of third party validation. You could have the Consumer Reports style rating for security or number/significance of bugs. You could have a ISO or 6 sigma style certification of software, testing practices, software developers, etc. Some of this exists in a sporadic case by case basis, but I think there is room for some organization to become the source that the majority of the industry looks to before making purchases.

One thing I greatly dislike. In my own industry (computational chemistry) I know of companies that have wording in the software license agreement forbidding the purchaser from publishing any type of comparison between their product and competing products. I'm not sure if this is even an enforceable clause (freedom of speach?). However, I feel that it is harmful to the consumers, the industry, and the software manufacturers themselves. If this is legal, I would like to see it made illegal. The software manufacturer is still protected from undeserved harmful reviews by libel and slander laws, so there should be no reason for them to object.
Posted by qmuser (13 comments )
Reply Link Flag
Businesses need to quit paying for bad software.
Buz Friendly had it partially right. Additionally, businesses need to quit accepting and paying for products that do not work properly. That is what a market based society is all about. As long as businesses continue to pay for indequate software they will get what they pay for.
Posted by (1 comment )
Reply Link Flag
 

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot

Discussions

Shared

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.