In response to requests from Plumbing Manufacturers Intl. (PMI) and its members, as well as from other supporters of the U.S....
In a report to the Bush administration, leading software companies acknowledged that government might need to force the U.S. technology industry to improve the security of America's computer networks.
The companies, including Microsoft Corp. and Computer Associates International Inc., said the Homeland Security Department "should examine whether tailored government action is necessary" to compel improvements in the design of computer software.
The 250-page report containing that and other recommendations was released Thursday. It advised that government should require security improvements only when market forces fail. It also said businesses already are demanding software that is safer and more resilient to attacks.
However, the report said the most sensitive computer networks such as those operating water pipelines, banks and telephone lines "may require a greater level of security than the market will provide."
In those cases, the software companies recommend "appropriate and tailored government action that interferes with market innovation on security as little as possible." It proposed the government work with companies to produce a formal study during the 2005 fiscal year, which begins in October.
The public acknowledgment that any level of new government regulation might be needed to improve software security represents an key shift by the technology industry. It has vigorously contested mandates from Washington during the past decade, even in the face of increasingly devastating attacks by new generations of hackers and viruses.
The industry recommendations were solicited by the Homeland Security Department's cybersecurity division in December.
The report was written by experts who included representatives from the Defense Department, National Security Agency, technology companies and universities. Leading the group were executives from Microsoft and Computer Associates.
The report did not recommend whether companies should be made legally liable over shabby software, except to note that "vendors are avoiding almost all liability for any damages done or expenses caused to their customers and users from software security problems."
Co-chairman Ron Moritz, the chief security strategist at Computer Associates, said questions about liability were too complicated to be included in the report.
Other recommendations include the following:
Spending at least $12 million, including $6 million in government money, during the next 19 months for a dozen new academic fellowships nationwide to teach future computer engineers to design safer software.
Providing unspecified incentives to companies for reducing software defects.
Offering bounties for information leading to the conviction of hackers and virus writers.
Establishing a cybersecurity report card for operators of the most important computer networks.
Setting up a government laboratory to keep track of software repairing patches and test how effectively they work.