Expert: There ought to be a law against bad software

Expert: There ought to be a law against bad software

'I find it unconscionable that software today is what it is,' a former NSA systems officials says

By William Jackson

GCN Staff

Government security is hamstrung by the poor quality of the software and hardware that make up information systems, a panel of security experts said at a recent conference.

'We have no assurance of the elements we're working with,'' security consultant James P. Anderson said at the National Information Systems Security Conference in Arlington, Va., sponsored recently by the National Institute of Standards and Technology, the National Computer Security Center and the National Security Agency.

Enterprises assume off-the-shelf products will work as advertised out of the box, but the products often arrive with loopholes and back doors that make security patching a full-time job, panelists said.

Not all of the unexpected features are accidents or oversights, said Cynthia Irvine, director of the Center for Information Security Studies and Research at the Naval Postgraduate School.

Software developers like to build surprises called Easter eggs into their work during development, she said. A flight simulator game hidden inside Microsoft Excel, which she demonstrated, is one of the best-known examples.

'There are Easter eggs in most software out there,'' Irvine said. 'Subversion of software is rampant.''

Egg hunt

Most Easter eggs are not malicious, Irvine said, but because they are buried in source code, finding and evaluating them usually is impossible. Users cannot assume they are not there, cannot assume they are benign and in general cannot guard against them.

The way to counter undependable products is to establish rigorous development policies for critical systems, Irvine said, and 'we're not doing that today.''

Blaine Burnham, who came to Georgia Institute of Technology from NSA to head the institute's Information Security Center, suggested that it might be time for the equivalent of a Pure Food and Drug Act for software, to ensure that products perform as advertised.

'That's an extreme solution,'' Burnham said. But he said it is time for a national discussion of the impact software has on national and personal security and privacy, and the role government should play in regulating quality.

'I find it unconscionable that software today is what it is,'' Burnham said.

Steve Lipner, director of the systems technology center at Mitretek Systems of McLean, Va., said the first rule for developing real-world products is to build what people will buy. A quality control act for software would have to come out of customer demands for product assurance and accountability, not from industry initiatives, he said.

'But I'm not optimistic that is going to happen anytime soon,'' Lipner said.

So much software infrastructure is already in place, Burnham said, that improving the quality of systems elements will be a generational effort that might not bear significant fruit for 20 or 30 years.

inside gcn

  • machine learning

    Mitigating the risks of military AI

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group