[Infowarrior] - Can the feds buy their way to better cyber security?

Thu Apr 30 23:35:24 UTC 2009

  April 29, 2009 - 12:58 P.M.
Can the feds buy their way to better cyber security?
http://blogs.computerworld.com/can_the_feds_buy_their_way_to_better_cyber_security_0

Among the suggestions for improving federal cyber security that were  
proposed at a hearing by the Senate Homeland Security Committee  
Tuesday, one that appeared to garner a fair amount of interest from  
lawmakers had to do with the use of government buying power to boost  
security.

The suggestion from Alan Paller, director of research at the Bethesda,  
Md.-based SANS Institute is one that is shared by several others  
within government and outside it as well. The basic premise is that  
the government which purchases over $70 billion worth of IT products a  
year can use its enormous buying power to force vendors to make their  
products more secure.

Most often, cyber criminals and foreign adversaries are able to  
penetrate systems and networks because of common programming errors  
and insecure configuration issues that are pretty well understood at  
this point but which vendors keep repeating all the same in their  
products. So getting them to fix these issues before they are  
permitted to sell into government is a surefire way to improve  
security and reduce costs, says Paller.

An example of where this approach has worked is the U.S. Air Force  
which has deployed over 500,000 desktops with a secure, standard  
Windows desktop configuration, Paller says. "Dozens of customers had  
asked Microsoft for more secure configurations and all were refused or  
were asked to pay large amounts of money for consulting services to  
develop customized settings," Paller wrote in his testimony for the  
Senate hearing.

But because the Air Force was about to spend $500 million on Microsoft  
software it was able to tell Microsoft what it wanted from a security  
standpoint and get the vendor to bake it into their products. The  
result has been much more secure software and substantially lower  
procurement and operational costs, for the Air Force he says. The Air  
Force model is now being replicated across other agencies as well and  
there's no reason why the same approach shouldn't be used for all  
technology procurement by the U.S. government. The Air Force  
procurement has also led Microsoft to bake similar security into the  
products it sells to many other buyers, Paller says.

The idea of using procurement as leverage for better security appeared  
to appeal to Sen. Susan Collins (R-Maine) who is the ranking member of  
the Senate Homeland Security Committee and Sen. Joe Lieberman (Ind- 
Conn.) who is its chair. While Lieberman found the testimony  
"riveting", Collins found it "very compelling" that a federal official  
would have to literally beg software vendors such as Microsoft to  
provide more secure software. She sought specific recommendations on  
how federal purchasing power could be used to get vendors to  
incorporate more security into their products and implied that this is  
a topic she will be looking into going forward.

That is something that a lot of people are likely going to want no  
doubt. As security consultant David Rice says in his book Geekonomics,  
software products in general have had largely detectable and  
preventable security defects for a long time now. Yet vendors have  
done little to address the problems, because they have had very little  
incentive to do so, he says.  Unlike the auto industry, there is no  
formal safety rating system in the software industry which consumers  
can use when making purchasing decisions. There also isn't a whole lot  
of choice actually. So consumers and business by and large have had to  
live with whatever it is the vendors have given them, and then forced  
to patch and pray later.  It's the reason why some are now advocating  
that the government step in and use its purchasing power as a weapon  
to get vendors to make more secure products. The question is will it  
work?