[ISN] An Antitrust Antidote for Software Security

[InfoSec News]

http://www.washingtonpost.com/wp-dyn/articles/A58955-2004Apr7.html

By Brian Krebs
washingtonpost.com Staff Writer
April 7, 2004

Congress should change U.S. antitrust laws to make it easier for
businesses to pressure software vendors to improve the security of
their products, according to a congressional advisory panel report
released yesterday.

Under the proposal, certain industry sectors could set software
security standards for their businesses. Vendors whose software fails
meet those requirements would be barred from selling to those
industries.

The idea is an attempt to find ways for the business community to
protect critical infrastructures like the electricity grid and the
banking, water and telecommunications networks from hackers and other
online criminals.

"There have always been exceptions to antitrust laws when dealing with
issues relating to national security, and I can't think of a more
important area to have some standards than in this area of
cybersecurity," said John Burke, a Washington attorney who represents
the Financial Services Roundtable, a group of financial services
companies that participated in drafting the cybersecurity
recommendations.

The problem, Burke said, is that without a specific exemption from
Congress or the U.S. Justice Department, the plan could run afoul of
federal antitrust laws that prohibit group boycotts.

The Corporate Information Security Working Group was convened last
November by Rep. Adam Putnam (R-Fla.), chairman of a House
subcommittee dealing with information security. The group met shortly
after software industry lobbying groups persuaded him to shelve a plan
to require publicly traded companies to report their cybersecurity
readiness to the Securities and Exchange Commission (SEC).

Putnam is studying the antitrust idea but has not decided whether he
will formally introduce it as a bill, said spokesman Bob Dix.

The group's recommendations were released on Tuesday, several days
after another task force led by the nation's top software companies
conceded that new government regulations might be necessary to
strengthen the nation's important computer networks against online
attacks.

Lawmakers have focused much attention on information security issues
during the past year amid a spike in identity theft, viruses and other
online criminal activity. The White House approved a national
cybersecurity plan more than a year ago but it contains no
requirements for businesses to improve their electronic security
practices.

The companies that own 85 percent of the nation's essential
infrastructure say they are committed to making sure that their
systems are secure, but many of them complain that the software they
use is riddled with security holes. Those flaws, they said, cost
businesses billions of dollars a year. An antitrust exemption, some
say, would help them collectively pressure software firms for
improvements.

Cathy Allen, who heads the Financial Services Roundtable's technology
division, said the software industry has largely ignored the banking
sector's voluntary security certification program. Instead, she said,
the software vendors often play off one company against another --
offering discounts and other incentives to get them to drop their
security requirements.

"Trying to negotiate better security standards in our contracts with
the vendors isn't very effective because many companies simply won't
sell to you unless you agree to their terms," Allen said. "What we'd
like to do is to be able to put some teeth behind our voluntary
requirements."

The banking industry spends nearly $1 billion each year patching and
adapting computer systems to remedy software vulnerabilities,
according to a Financial Services Roundtable report released in
February.

The Information Technology Association of America (ITAA) opposes the
antitrust idea. The association represented software developers and
other high-tech companies in the cybersecurity working group. It did
not have the power to veto the antitrust recommendation, which was
agreed on by consensus among the group's other members.

"This is basically an attempt to give certain industry groups cartel
market power to fix prices," said ITAA General Counsel Joe Tasker.  
"What we have is a case where the buyers themselves consistently
violate their own principles."

"We're not averse to it per se, but we're not sure why it's needed,"  
said Robert Hoffman, vice president of congressional and legislative
affairs for business software maker Oracle Corp.

Hoffman said that Oracle supports a number of different ways to
improve software security, but said that an antitrust exemption is a
"pretty heavy hammer."

The Justice Department routinely grants antitrust exemptions, said Bob
Lande, an antitrust law professor at the University of Baltimore
School of Law.

Antitrust exemptions previously granted by Congress include one
notable 1970 law that allows newspapers operating in the same market
to pool their resources on advertising, printing and distribution.  
Major League Baseball operates under an exemption effectively granted
by the U.S. Supreme Court in 1922 that requires the league to approve
any of its teams' decisions to move from one city to another.

"Antitrust laws are amazingly flexible rules and can deal easily with
legitimate business justifications," Lande said. "The way they're
being interpreted by today's judges are in a very conservative,
non-aggressive manner, I can't say the risk of antitrust problems is
zero, but boy it is low."

Changing the antitrust laws also would hold software developers who
work with Linux more accountable for security, said Alan Paller,
director of research for the SANS Institute and a member of the
cybersecurity group.

Such a requirement would be more challenging for open source vendors
because much of the software is maintained by thousands of independent
software developers, he added. "This could force a certain amount of
discipline on that group that they may not want to have... They would
no longer be able to throw up their hands and ignore responsibility
for security just because it's open source."

The cybersecurity working group made nearly two-dozen other
recommendations. One would limit public access to information about
the locations and weak points of vital communications, power and water
networks. Another proposes that Congress insulate companies from
shareholder lawsuits if a hacker breaks into their systems.

Putnam, meanwhile, plans to introduce a bill to implement another
recommendation from the panel -- amending the federal government's
technology acquisition guidelines to ensure that agencies seeking new
computer software and hardware make cybersecurity a priority.