Business Technology: Secure Computing Must Move To The FrontBusiness Technology: Secure Computing Must Move To The Front

One of the things that makes America such a fantastic place is our ability not just to tolerate an incredibly diverse range of opinions and outlooks, but also, in the first place, to produce these polar opposites and everything in between. I could easily write 10 pages on this subject but will spare you that agony and instead come back to last week's theme--hackers, the law, and accountability--which is also a major component of this week's cover story.

Last week the column centered on the role of hackers in general and on BlasterB creator and distributor Jeffrey Parson in particular. Most of the feedback we got said yes, let's get serious with these malicious attacks and treat them as crimes and treat the perpetrators as criminals, and not just as slightly demented but harmless goofballs who thought, mistakenly, that their actions were just a highly evolved variant of Dungeons and Dragons. And about a quarter of the couple hundred letters we received said yeah, let's punish the hackers but let's also rewrite the rules for the software developers whose products aren't secure enough to keep the bad guys out. And then, far out on the fringe, where sometimes the brilliant ideas take flight but more often the profoundly bizarre take hold, came the few who generally seemed to equate all this as somehow a version of the mythical "victimless" crime. Or, as it was put by one guy who claimed this entire country is turning into "a cyber lynch mob," anyone who feels hackers should be held accountable for their actions is expressing nothing more than "a childish need to avenge inconvenience." Inconvenience!! Is that what you felt last month fighting these attacks by working round-the-clock and spending money you don't have and leaving major projects on hold while the head of the business unit needing those projects was blowing Godzilla heat in your face all day? INCONVENIENCE? (Then again, he elsewhere used the word "abnegation," so he must know what he's talking about....)

Let me offer a parallel. There's a domestic terrorist group called the Earth Liberation Front that has claimed responsibility for a series of violent, criminal acts: torching SUVs in dealer lots, bombing research labs, and setting fire to corporate facilities are but a few of their favored methods of free expression, which they then go on to rationalize as free speech or peaceful revolution or not-so-passive-but-still-completely-justifiable resistance or some other absurdity. One of their tortured claims to legitimacy is that no individual person was directly attacked or injured in these attacks--therefore, it's OK. Their group's name is "pro-Earth"--so it's OK. They're striking a blow for the "disenfranchised"--so it's OK. They're protecting animals who don't know how to stage protests--so it's OK. Their Web site posts information on how to make and deploy bombs and set fires, but that's protected by free speech--so it's OK. Let's ask the firefighters who risk their lives to extinguish this arson if it's OK.

These acts of terrorism--in the cyberworld as in the physical world---are not OK. They are illegal, they are dangerous, they are costly and cowardly, and they must be treated as such, which means that the agents behind these acts need to be rooted out, prosecuted to the fullest extent of the law, and punished. It's time that we as a powerful global community step forward and shout down the fools who say computer sabotage is victimless, these are pranks, these perpetrators are free-expression geniuses creating art in response to greedy multinational capitalists; rather, we need to say ever more loudly that they are criminals, and in a free society governed by the rule of law they, like all the rest of us, need to be held accountable for their actions. I think it's time we started firing off letters to our elected representatives, urging them to consider whether the laws we have in the field of computer sabotage are appropriate for what we are facing today.

Simultaneously, the community of business-technology vendors needs to step forward as well and commit itself to doing whatever is necessary to turn out products that aren't so vulnerable to intrusion and the nightmares those attacks can trigger. It's time for these vendors to accept their own responsibility to toss out flawed development strategies, to stop viewing patches as upgrades, to cease with the evasive language that attempts to ascribe blame everywhere but on themselves. It's time for Microsoft in particular to step up to its promise of "trustworthy computing" so boldly proclaimed 19 months ago by Bill Gates himself and to support that effort with exactly the same sort of executive commitment and unlimited resources that the company devoted several years ago to the reorientation of every facet of the company around the Internet and the Web.

Microsoft long ago committed itself to becoming the most powerful software company in the world (even though you probably won't find those specific words written down anywhere). By many measures, it can now claim that mantle. But with that position comes enormous responsibility, whether the company wants to accept it or not. That responsibility is chiefly to its millions of customers who have invested serious money--as individual consumers or as businesses--in Microsoft's products, its vision, and perhaps most important, its brand. And Microsoft will be putting itself in grave danger of seeing that precious and priceless brand become severely diminished unless it does at least these three things: First, it has to recommit itself to increasing the security of all its products, whether operating systems or applications or tools. The measure of that security will not be internal documents or QA processes, but rather the impenetrability of the systems owned by customers using Microsoft products, and the experiences those customers have. Either they'll be secure, or they won't be; either Microsoft's reputation will be upheld, or it will be severely damaged.

Second, the company has to state publicly and clearly that this is not a top priority for the company but is, in fact, the top priority. And it must ensure that this commitment extends not just throughout the company but also to its unrivaled global network of developers, consultants, and solutions providers. It can even refresh the Trustworthy theme; it was a good thematic start, but seems to have lost a bit in the deployment.

Third, Microsoft should take a lead role in pushing for and establishing an industrywide working group comprised of every major enterprise software company to share best practices for developing software that is truly secure and that stifles hackers. The alternative to this will be for all of us to sit back and watch as the same state attorneys general that engaged Microsoft in antitrust and unfair-competition battles will begin drafting the Corporate Software Lemon Law. Heck, you could even imagine a scenario under this plan in which every state can "embed" its own overseers inside Microsoft's development labs, stretching development time out exponentially and quadrupling costs. But--we won't be able to say we weren't warned.

What I've said above isn't motivated by a misplaced need to be provocative or "edgy"; it is, rather, a reflection of a deepening mood across the business-technology community of profound frustration, which is rapidly giving way to anger and bitter resentment over broken promises, lost time, lost money, and lost opportunities. Many companies are saying that they've had more than enough of hackers and their crimes, and of software vendors and their products that, when it comes to security, are all too often defective. This isn't fleeting, it's not caused by the impending change of seasons or even by the proximity of Mars-it's a harrowing and intolerable problem for so many because they see the incidents are getting worse and they see no apparent or at least visible and tangible effort to eradicate the problem at its source: software and systems that simply don't keep the bad guys out.

And as for the bad guys, they're criminals, and they're operating freely and with very great impunity right in our midst. They're corrupting our work, our businesses, and very possibly the lives of innocent people. They're costing our companies and our economy billions and billions of dollars each year, and as we tally up the butcher's bill we should be very mindful that history shows us that these types of people will most certainly continue doing these things until someone stops them. And it's time for all of us to sign up as deputies--or, we can all just shut up and keep taking the consequences of silence and inaction.

Bob Evans
Editor in Chief [email protected]

To discuss this column with other readers, please visit Bob Evans's forum on the Listening Post.

To find out more about Bob Evans, please visit his page on the Listening Post.