For 12 months, the House of Lords Science and Technology Committee has been gathering evidence of the risk the Internet poses to society. Its report, issued in August 2007, did not pull any punches, but the value will come from the debate it has fuelled not the solutions it proposes.
The 100-page report considered the growing importance of IT in everyday life, examining some of the threats of life
online and investigating how best to deliver a secure future for everyone. The report primarily focused on personal security, but it also acknowledged that the growing number of home PCs that have been compromised represented a wide-ranging threat.
The Committee condemned what it provocatively dubbed the Government’s ‘Wild West’ approach to Internet security and offered, by way of remedy, some concrete recommendations. Of particular note was the Committee’s assertion that the technology industry has, for too long, escaped any legal liability for ensuring the secure application of its wares.
The software makers have no incentive – particularly security vendors – to continuously improve the quality of their products, it noted with concern. If vendors were to carry some liability in the event of a user suffering a security breach, argues the report, they would – by dint of sheer self-interest – be more inclined to “make the development of more secure technologies their top design priority”.
Not surprisingly, the report’s recommendations – which will be put to the Government in due course – have caused some consternation among the security providers, many of whom have issued statements claiming the proposition is not only unreasonable but generally “unworkable”.
Trade association Intellect went one further, however, arguing that the enforcement of vendor liability would not only stifle innovation, but it could prove anti-competitive if confined only to the UK. “This could lead to the UK losing competitive advantage and a reduction in the number of British companies working in this growing market,” it concluded.
IT security breaches are costing UK businesses tens of billions annually – the importance of secure systems is not in doubt. Given that importance, a workable solution, that is robust and business-friendly must be a priority.
The experts’ response…
Greg Day, security analyst at anti-virus giant McAfee says that security vendors only supply the tools, and it is up to businesses to deploy the tools effectively.
It would be very difficult to hold vendors responsible for breaches, as it really comes down to how solutions are implemented. You would have to ask, ‘Did they have it configured correctly, updated and maintained?’ Every business has different IT security requirements depending on their business and IT footprint.
The simple reality is that most software and hardware vendors are in the business of being successful and making money, otherwise they wouldn’t be in business. So security is driven by demand, and what is highest on the users’ agenda.
Garry Sidaway, principal consultant for authentication specialist TriCipher believes security vendors are not always transparent about the quality of their products.
Vendors have a duty of care, particularly in the security sector, to show they are doing the right things. Where the vendors’ responsibility lies is in developing common standards and then creating software that meets those common standards. Some security providers say they are raising the bar, but they know full well that there are weaknesses in their software. They should say that in one instance their software is secure, but that in other instances there might be risk. Currently, there is too much under the hood for users to judge the robustness of the software in every context.