But Pescatore says the bill is "misguided" and should encourage companies to spend money on preventing security problems rather than fixing them after they occur. Security spending is increasing but so are the number of cyberattacks. Gartner has estimated that companies spent 2.6% of their IT budget on security in 2000 and will spend 3.3% this year and 4.1% next year. "This spending will now go even higher as a result of the attacks and new emphasis on security," Pescatore says. But he says that companies are feverishly fighting the symptoms rather than facing the core issue of inherently insecure products. "You are rewarded for throwing up firewalls and biometrics, but not for buying more secure products in the first place."
Pescatore says the government--as well as the free market--should use other incentives to force vendors to ship more secure software. For example, he says, tax breaks should be given for providing security training to software developers and for research that improves the security of infrastructure software. Says Pescatore, "This bill, if it becomes law, will just exacerbate the existing problem we have with vulnerabilities and patches."