Wanted: Improved SecurityWanted: Improved Security

Corporate boards and Internet service providers need to get tougher about protecting their networks against hacker attacks and viruses, and software vendors need to make security features easier to use, according to government and private-sector cybersecurity experts speaking at the RSA Conference this week.

In a keynote address at the cryptography and computer-security conference in San Francisco on Wednesday, Gen. John Gordon, assistant to the president for homeland security, called on software developers to improve their products' quality. A panel discussion on information security and corporate governance later that day included former White House cybersecurity adviser Richard Clarke, now chairman of Good Harbor Consulting, which advises companies on selling to the Department of Homeland Security and other government agencies; Richard Holleyman, CEO of the Business Software Alliance, an anti-digital piracy group; and Scott Charney, chief trustworthy computing strategy officer at Microsoft.

Among their remarks:

Clarke said last year was a "market failure" in cybersecurity, "and 2004 doesn't look much better," he said. In general, Internet service providers "do nothing about security. The market isn't forcing the ISPs to do anything about security--it's not a reason people choose one ISP over another."

According to Holleyman, "Information security isn't solely a technical issue." It requires management participation, he said, and corporate board members don't understand their roles and responsibilities.

Charney, a former Justice Department lawyer, said the spread of worms and viruses last year wasn't surprising--it takes the IT market a while to work against them. Most companies are using Microsoft software designed before threats like the SoBig and Blaster worms that spread across computer networks last year. Microsoft's latest server version of Windows, he said, prevents infected computers from spreading the worm to other machines. "It's going to take time to fix this problem, because the legacy systems weren't designed for the current threat model," he said. "We're in a tough situation, and it's likely to remain tough."

Gordon said the U.S. intelligence community needs to create "a new breed of cybersecurity analysts." Adding security features to home networks also is too difficult, he said. "The industry needs to make it easy for users like me, who are reasonably technically competent, to set up security and encryption features." And if the software industry got tougher on quality assurance, it could close off paths of cyberattacks.