X

Fed plea: Stop security leaks

Federal officials implore researchers and hackers who find security vulnerabilities to disclose the information more responsibly.

Robert Lemos Staff Writer, CNET News.com
Robert Lemos
covers viruses, worms and other security threats.
See full bio
Robert Lemos
2 min read
LAS VEGAS--Security researchers and hackers who find vulnerabilities need to realize that discretion is more important than valor, several federal security experts said at the Defcon hacking conference here this weekend.

Additionally, federal officials said they would use the government's massive purchasing power to force developers to improve the security of their products.

While acknowledging that software makers continue to release buggy products, Richard Schaeffer, deputy director of the National Security Agency, stressed that publicizing a vulnerability without warning and before a patch has been created could potentially threaten U.S. computing systems.

"Responsible disclosure means not letting out information that could do harm to critical systems falling into the wrong hands," he said.

Schaeffer's comments echoed those of presidential cybersecurity adviser Richard Clarke, who spoke last week at the Black Hat Security Briefings here. Clarke told attendees that finding vulnerabilities in buggy software is important, but properly handling the disclosure is critical.

As Clarke did, Schaeffer also blasted the software industry for the large number of bugs in their applications. "The quality of the software that we are getting is terrible," he said.

Marcus Sachs, a member of Clarke's 16-person Office of Cyberspace Security, warned that the government will use its checkbook to ensure software makers improve their products.

"We, the federal government, have enormous purchasing power," he said. By demanding more secure software, the government can directly affect the quality of product, he added.

The debate over disclosing vulnerabilities has heated up as software security has become a high priority in government and industry. Security researchers who find vulnerabilities often use the information to embarrass companies and score public relations points for their own firms. Conversely, software makers frequently fail to find or disclose problems in a timely manner.

Early last week, for example, Hewlett-Packard threatened a security researcher with a lawsuit for releasing information about a flaw in Tru64, the company's high-end server software. HP backed off the threat Thursday.

While he didn't support such tactics, Sachs underscored the seriousness of releasing vulnerability information before a patch has been created.

"Microsoft is widely used in the critical infrastructure--more than we thought," Sachs said, stressing that publicized flaws that have not been corrected could damage government systems.

"The time (to deal with this) is now," he said. "We are past the point where we can keep talking about it."