Cybersecurity Call


Bush advisor says developers must produce 'software that works'


Software developers must help secure cyberspace through product improvements, said President Bush's special adviser on cyberspace security.

"The software industry has an obligation to do a better job in producing software that works," said Richard Clarke, director of the Office of Cyber Security, in a keynote at the Black Hat USA 2002 Briefings trade event held here last week.

"It is no longer acceptable that we can buy software . . . that is filled with glitches," he said. "It is no longer acceptable that the number of vulnerabilities is going up."

Clarke's remarks were greeted with applause by the crowd of about 1,500 security professionals, but his reference to Microsoft's security initiative drew ripples of laughter. Microsoft Chairman and Chief Software Architect Bill Gates earlier this year directed employees to make security a priority in product development.

"Rather than rejecting Gates' statement that he's making security job one, I welcome it and will hold him to it," he said.

Clarke added that the software industry could also help out by testing patches in a variety of applications. Because system administrators need to know whether a patch will work in their environments, often they won't use a patch until it has been tested, he said.

But software developers aren't the only ones who need to help secure cyberspace, he said, citing wireless LANs as a potential security risk. He cautioned those who deploy the technology not to transmit sensitive data over wireless LANs.

"Until we have a better, proven track record with wireless LANs, we all better shut them off," Clarke said.

And broadband providers need to provide security with their services because of the risks posed by always-on connections, he said. ISPs "should offer a firewall and a system that regularly updates that firewall," he said, adding that it's too much to expect a home user to keep track of patches and antivirus updates.

While he doesn't want the government "involved in controlling or regulating the Internet," Clarke said there needs to be some way that the government can help academics and others maintain the health of the Internet.

Tom Slodichak, chief security officer at WhiteHat, a security solution provider based in Burlington, Ontario, said he believes Clarke's points were valid.

"What he was saying is to take a step back. A lot of these products come out of the box insecure," Slodichak said. "Put a Band-Aid on the past and lobby the software industry to be more responsive about security moving forward."