Software Industry Acknowledges That New Security Rules Might Be Needed

The companies, including Microsoft Corp. and Computer Associates International Inc., said the Homeland Security Department 'should examine whether tailored government action is necessary' to compel improvements in the design of computer software.

The 250-page report containing that recommendation and dozens more was being released Thursday. It cautioned that government should require security improvements only when market forces fail. It also said businesses already are demanding software that is safer and more resilient to attacks.

But the report said the most sensitive computer networks _ such as those operating banks, telephone networks or water pipelines _ 'may require a greater level of security than the market will provide.'

In those cases, the software companies recommend 'appropriate and tailored government action that interferes with market innovation on security as little as possible.' It urged the government to work with companies to produce a formal study during the 2005 fiscal year, which begins in October.

The public acknowledgment that any level of new government regulation might be needed to improve software security represents an important shift by the technology industry. It has vigorously contested mandates from Washington during the past decade, even in the face of increasingly devastating attacks by new generations of hackers and viruses.

'That's a big lean in the right direction,' said Alan Paller of the SANS Institute in Bethesda, Maryland, a computer-security organization. 'It's a nod to reality; they're nodding but they've got their heels dug in.'

The industry recommendations were solicited by the Homeland Security Department's cybersecurity division in December.

The report was put together by experts who included representatives from the Defense Department, National Security Agency, technology companies and universities. The group was organized by executives at Microsoft and Computer Associates.

'When you look at the key recommendations of the report, the road ahead is for government and industry to establish a vision for how we can take steps going forward to make the cyber infrastructure safer,' said co-chairman Scott Charney, Microsoft's chief security strategist.

James Lewis of the Washington-based Center for Strategic and International Studies, who also participated, described the industry's shift as 'recognition that absent some kind of pressure, software isn't going to get better.'

The report did not recommend whether companies should be made legally liable over shabby software, except to note that 'vendors are avoiding almost all liability for any damages done or expenses caused to their customers and users from software security problems.'

Co-chairman Ron Moritz, the chief security strategist at Computer Associates, said questions about liability were too complicated to be included in the report.

Copyright © 2004 The Associated Press. All rights reserved. The information contained in the AP News report may not be published, broadcast, rewritten or redistributed without the prior written authority of The Associated Press.