US government seeks vendor accountability

US Federal agencies, which have begun spending millions to upgrade information security in response to a presidential directive, said protecting computer networks will also mean finding ways to hold software vendors accountable for the quality of their products.

John Gilligan, CIO at the US Department of Energy, said users have to focus attention on better defining expectations and enforcement of warranties for commercial software.

Vendors must "provide products that will either be free from certain types of vulnerabilities or reliability problems, or they will have financial liability," said Gilligan, speaking last week at the US Department of Commerce's National Information Systems Security Conference.

Federal agencies were ordered by President Clinton last year to do what's necessary to protect critical systems from information security threats. The order set off a scramble among agencies to develop security plans and seek money from Congress.

But some issues aren't easily addressed. US agencies are becoming "increasingly more reliant on commercial off-the-shelf products," said Christopher Mellon, deputy assistant secretary of defence for security and information operations.

And it's difficult to tell, in some cases, where commercial software code "was written, what its heritage is and to even know what it is you are buying," he said.

Defence and other federal agencies are currently working on plans to improve information security through training, vulnerability testing and system improvements that include developing incident-response teams to tackle security threats. Agencies are also improving training for systems administration workers.

But Congress is balking on funding. The Commerce Department is seeking about $US79 million for its information security work, and the Department of Energy, which has been plagued by an espionage scandal this year, asked for about $35 million this year, which it hasn't yet received.

Federal officials said security funding is cost-effective. One security incident can cost as much as $500,000 to repair.

As with private industry, security threats posed by disgruntled employees are greater for government systems than attacks from outside.

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

More about Critical SystemsMellon

Show Comments
[]