News

Mary Kirwan is a lawyer on three continents, a writer and IT security expert. She is currently completing a book on IT security for industry, for broad release in 2005. Contact her at mary@headfry.com.

At the recent RSA Security Conference in San Francisco, a number of themes predominated and resonated with the record- breaking crowd.

As expected, the large software vendors jockeyed for position in extravagant showbiz style. Bill Gates decided to be merciful and finally put the security product vendors out of their misery by announcing that Microsoft was about to enter their space with a new anti-virus product. They reacted the only way they could: they took it like men and came out swinging, full of jibes and insults.

It was rather splendid theatre, and testosterone levels were high.

However, in one marked respect, all the vendors were singing from the same hymnbook. They made constant tribute to 'innovation' in the IT sector, with a fervour verging on the religious: innovation was everywhere; innovation that would suffer if security concerns got a grip on the public imagination.

There was a slight whiff of desperation in the air.

John Chambers, CEO of Cisco, was the only titan to address the underlying issue head on, alluding to concerns in the distant past about the connection between IT and productivity, but proclaimed, in his inimitable southern drawl, that these worries had long since dissipated.

But at the heart of it all, was a de facto acknowledgment that Nicholas Carr's premise in his critically acclaimed book, Does IT Matter (following his Harvard Business Press article on the same topic) had struck a raw nerve.

Carr's damning conclusion — that the IT industry was in imminent danger of whole scale commoditization, as vendors had 'overshot' the needs of their customers with upgrades full of bells and whistles they don't need and that offer no strategic benefit — was a serious threat to a lucrative business model.

After an initial panic to fund R& D programmes at universities and 'think tanks' to prove that IT really does matter, the new vendor response appears to be to pretend the debate no longer exists.

Bill Gates talked about progress in the past year, and indicated that Microsoft is spending $6-billion (U.S.) on R & D, and that one third of that is "directly security focused" and the "rest ties in with that". On the thorny issue of improving software code, he stated that Microsoft is building "special tools" internally and sharing them with partners.

Despite concerns about social engineering and phishing attacks that "fool users", he was confidant they would be able to mitigate the security problems and "allow fantastic things to happen".

So there was universal agreement that innovation was endemic to the sector, and that security matters. And that something has to be done about it.

That was the easy part.

But when it came time to figure out what to do about it, things frequently got heated and finger pointing was rife. The ISPs were blamed for not securing their pipes, and not forcing firewalls on users before they could connect. And home users were to blame — for just about everything.

But generally speaking, most guns were pointing at the software vendors as being responsible for the current sorry state of affairs.

Indeed, the spectre of legislation, or lawsuits, that might expose vendors to software liability, was everywhere, and vendor fear was palpable, although they put up a brave - and oftentimes cantankerous - front in an attempt to stem the tide of the inevitable.

A panel of lawyers, mainly dominated by Microsoft in house lawyers, not surprisingly set the tone for the vendor take on the gnarly subject. The vendor party line can generally be summarized as 'the four horses of the Apocalypse'.

A veritable plague of locusts will descend on the planet and devour it inside out if software liability for vendors becomes a reality. Huge software vendors not usually unduly concerned about the trials and tribulations of the 'small software developer' are wracked with concern for their doomed brethren.

Innovation - that old stalwart — was trotted out again and again. It would be stifled, snuffed out and the 'golden goose would be killed.' Prices of course would inevitably increase. Eerie comparisons were made to the plight of the heavily regulated pharmaceutical sector- the suggestion being that it would take an eternity for any new software product to come to market if the sector was regulated.

The Microsoft lawyers also indicated that it would be impossible to police legislation in a global marketplace, despite the fact that intellectual property disputes are internationally regulated and litigated. They expressed astonishment that Windows 95 users are still out there, and expecting anything from Microsoft.

The underlying message was — 'why don't the dumb users just upgrade when we tell them to'? The penny clearly has not fully dropped, and legacy systems are not going away any day soon, wishful thinking aside.

The sole dissenting speaker on the Microsoft dominated lawyer panel pointed out that customers are insisting on better terms in software licences, especially those in heavily regulated sectors such as health care, and generally " regulating their base." They are also demanding input into the code development lifecycle and demanding more transparency, pushing indemnification onto developers and insisting that code be escrowed, in case the vendor is not around when the customer needs them.

The Microsoft lawyers suggested that the legal concept of 'intervening criminal act' would save them from a finding of negligence (i.e. 'the hackers did it'), plus they alluded to the possibility that consumers would be held contributory negligent.

And what did the audiences make of the doom- laden scenarios presented by the vendors?

They appeared highly sceptical. Their patience is clearly wearing thin. Many attendees and speakers expressed the view that if legislation and a new required emphasis on software quality assurance and accountability for code development eradicated purveyors of vapourware, and separated the wheat from the chaff, they were all for it.

A panel on the issue of whether to regulate the sector, consisting of Bruce Schneier, well know author and security maven, Richard Clarke, ex U.S. Cybersecurity Tsar and author, and two representatives of the software industry, Harris Miller and Rick White, brought the issues into full focus, and engaged the large crowd.

The industry representatives displayed that most American of sentiments, mysterious to Europeans — who generally have a more positive view of elected democratic governments — that government intervention is always "highly undesirable," "governments can't predict the future" and are "ill suited to the task" — only useful as "a last resort."

Mr White, an ex-U.S. elected House representative, chided Richard Clarke for suggesting the "nuclear option."

Feelings were clearly running high. Mr Miller repeatedly extolled the virtues of a mysterious software "contract" that protects software customers and removes the need for legislation, much to the bemusement of the audience, most of whom were well aware that the vendors universally disclaim all liability for their products. He also gave the example of cars being recalled by car manufacturers as proof that regulation doesn't solve the problem.

Schneier posed the rhetorical question, to howls of approval from the audience, as to whether they would have done so, "unless they had to."

Richard Clarke thought that the current "patchwork quilt of legislation" in the U.S. was not working, and pointed out that the most important sectors, such as the utilities, are not regulated at all. In his view, tough global security and privacy laws in Europe and Singapore compounded the problem.

Miller described EU laws as out of step with the rest of the world, despite the fact many other countries around the world have adopted them.

Clarke expressed a marked lack of sympathy for the portrayal of the IT industry as a poor helpless lamb to litigation slaughter - "... It is a billion-dollar industry … and not innocent," he said, adding that he found the floodgates argument to be a "red herring."

Indeed, his view, shared by many at the RSA event, is that "after a major incident, the software vendors will get "worse regulation than they might get now."

Indeed, it was abundantly clear that many senior U.S. government officials, especially those with responsibility for protecting national security and critical infrastructure have had enough. Their frustration and anger was very real. Rest assured, if poor code causes harm to critical infrastructure, the software vendors are done like dinner and senior government officials around the world are just waiting to pounce.

So what is the good news?

It appears that salvation may come from unlikely quarters.

Concern for the plight of Luddite mothers everywhere appeared to be rampant amongst the security digerati at RSA. Bruce Schneier thinks it is 'a crime' that the ISPs do not give his mother a secure connection. Amit Yoran, the erstwhile Homeland Security Cyber Tsar. expressed similar laudable sentiments and concern for his mother on-line.

Perhaps it is an epidemic? Maybe the poor maligned dummies - and especially their mothers - will turn the tide and bring about much needed change.

Just don't count on it.