What began as an uncoordinated din of IT professionals complaining about computer security has turned into a collective movement that's spanning entire industries. For evidence, consider the actions taken by BITS, a powerful financial-industry organization that recently crafted a detailed security policy on how it expects technology companies to respond to the needs of its member firms. Two weeks ago, the nonprofit consortium squeezed concessions from Microsoft. Now, other big-name vendors are in its sights.
BITS acted because the costs and risks associated with rising software vulnerabilities have become "untenable," senior director John Carlson says. Coping with software vulnerabilities has become a $1 billion-a-year problem for the financial industry, according to BITS, whose heavyweight roster includes Bank of America, Citigroup, Fidelity Investments, and Wells Fargo. "We clearly anticipated that the costs are going to increase over time unless something is done," Carlson says.
"There's almost no one who's immune," Huntington National Bank's Seibel says.
Photo by Janet Adams
BITS held an invitation-only meeting in February for its members and some undisclosed software companies, and, in late April, it unveiled a sweeping plan to encourage IT vendors to show a "higher duty of care" in delivering foolproof products. A detailed policy statement, issued jointly with the affiliated Financial Services Roundtable, calls on vendors to make security a fundamental part of software design, support older versions of products, make upgrades easier, improve the patch-management process, and give companies with "critical infrastructure" advance notice of new vulnerabilities.
The group hopes to influence product development and support across the technology industry. Prominent names are at the top of its list: Cisco Systems, Computer Associates, Hewlett-Packard, IBM, Microsoft, Oracle, and PeopleSoft. "There are lots of potential weak links," Carlson says. "Our members said, 'These are important companies to engage.'"
InformationWeek surveyed some of those leading technology companies to assess their readiness to meet BITS's specific proposals. To see their answers, go to informationweek.com/996/ responses.htm.
BITS supports incentives, including tax breaks, to encourage vendors to put more research and development into security, and it promises to help protect industry groups from antitrust laws as they collaborate on security measures. It's also wielding a stick by encouraging regulators to share some of the information they already gather on the security practices of software companies.
Security professionals believe there's something to be gained by bringing the collective weight of an industry to bear on the issues they face every day. "These efforts present a united front and focused pressure, rather than each of us working on our own to improve software and to get change," says Gene Fredriksen, VP of information security with Raymond James & Associates, co-chair of BITS's software-security working group, and a member of its security and risk-assessment executive committee.
It doesn't hurt that BITS has the backing of some big guns. Thomas Renyi, chairman and CEO of the Bank of New York, is chairman of BITS's board of directors. According to Cisco, its CEO, John Chambers, has met directly with the industry group.
BITS is rallying companies from other industries around the same set of issues. Technology executives from the telecommunications, chemical, and electric-utility industries were invited to its closed-door February meeting, and the group coordinated with the influential Business Roundtable on the details of its software-security policy and the timing of its release.
Microsoft's arrangement with BITS was the first of its kind, but it won't be the last, says Gytis Barzdukas, director of product management with the vendor's security business and technology unit. After six months of discussions, BITS talked Microsoft into providing more-favorable terms for Windows NT 4.0 custom support and making Windows support personnel available to BITS's members in their local offices. Both sides say further cooperation is planned.
The risks to a bank's reputation from security attacks can equal or surpass losses from lawsuits or penalties, Bank of America's Gear says.
Photo by Sacha Lecca
Under Basel II, an accord reached last month by international banking authorities, large banks must be able to measure by the end of 2007 their exposure to operational risk, including software flaws, in addition to credit and market risk. Large financial institutions have had Basel II preparations under way for at least a year, beginning with compiling data about previous cyberattacks and formulating scenarios about potential new ones.
Conscious of the need to proceed without disrupting ongoing business activities, teams of IT, compliance, legal, and audit specialists are working to formulate plans combining all these elements. The hope is that by working collaboratively, they can present business heads with a single plan of action. "We don't want to go to them with one set of compliance questions and another set of security questions," says an information security executive at a large multinational bank.
When reviewing software products, this executive says, "we ask [vendors] to show us their model for providing software updates and patch distribution, both during the ordinary course of business and during emergencies." Vendors are grilled on their response procedures in the event of a crisis. Bank of America's Gear says banks routinely write into contracts clauses that specify software products are warranted as being free of malicious code. "It's a huge, huge issue," she says.
BITS has set the security bar high with its own stringent set of criteria for product certification, introduced in 1999 and reintroduced two years ago after being aligned more closely with the international security evaluation standard known as the Common Criteria. So far, only two products--HP's VirtualVault and Archer Technologies' SmartSuite Framework--have passed muster. "It tells us software companies have a lot of work to do in terms of meeting the targeted needs of our profiles," Carlson says.
Carlson and many security professionals agree that vendors have shown an increased willingness to address their concerns and acknowledge that IT departments bear much of the responsibility for securing their systems and networks. But they say vendor efforts haven't yet passed the most important test: There's been no decline in the number of security threats or attacks, or in costs associated with them (see story, Under Attack).
What comes next? BITS is working to define best practices for patch-management and on security issues associated with spyware, wireless technologies, and remote access. Users would also like to see increased collaboration among technology suppliers themselves. "Ultimately, I would like to see the industry get to the point where we have common security baselines among vendors," says Raymond James' Fredriksen.
Oracle is thinking along the same lines. "The next frontier is for vendors to drop their competitiveness," says Mary Ann Davidson, Oracle's chief security officer. "Developing secure code is not a trade secret. Vendors need to start calling each other up and sharing development techniques. The hackers certainly share attack and vulnerability information."
If the vendors can ever outpace the hackers, their customers will deserve part of the credit.