At the first Global InfoSec Summit in Washington on Monday, a lot of attention was focused on hackers and crackers and whether laws -- worldwide -- were strong enough to do anything about them. But not everyone at the conference blamed the obvious bad guys.
William Caelli, who heads the school of data communications at Queensland University of Technology in Brisbane, Australia, said responsibility for many security problems rests with insecure software being produced by the information technology industry. "There is no evidence that industry has ever done anything that has involved extra cost unless mandatorily told," said Caelli, in arguing for security regulations.
But Betty Shave, who heads the international computer crime division of the U.S. Justice Department, said the government's view was to let self-regulation work and let the industry shake itself out. "We won't be prescriptive in a way that is particularly, in this setting, harmful to business," said Shave.
"There is also not much tradition in the United States for criminalizing products that don't work very well or don't work the way they're suppose to," she said.
Those two views represented something of the diversity of outlooks expressed at this conference, attended by 300, on how to approach the complex problem of international cyberlaw.
The conference, sponsored by the Information Technology Association of America in Arlington Va., and the World Information Technology and Services Alliance in Vienna Va., a group that represents high-tech trade associations worldwide, took a bird's eye view of security issues worldwide. When it comes to cybersecurity, the conference proceedings revealed that many countries remain far apart in their approaches.
For instance, according to a preliminary analysis of 44 nations by Bruce McConnell, a former White House official who led the International Y2k Cooperation Center, more than half of the countries studied lack any specific computer crime laws at all. Most of the major industrialized countries have such laws, including India and Malaysia. But there are some notable exceptions, such as New Zealand and Norway, he said.
For businesses, the absence of specific laws dealing with information security creates an element of risk and uncertainty. "I don't think there is a resistance [to computer-specific laws], it's more of a lack of awareness," McConnell said.
More countries have laws prohibiting break-ins of government computer systems and but they don't necessarily extend those same protections to the private sector, said McConnell, who operates a Washington-based consulting firm McConnell International LLC. But "as a general matter, the penalties are very weak," he said.
Some attendees were worried about the security implications raised by the Uniform Computer Information Transaction Act (UCITA), the controversial software licensing law being considered by states in the U.S. (see story). Vendors may use the law's provisions to prohibit reverse engineering of software code, something security experts often do to search for problems.
But Steve Katz, the chief information security officer at Citigroup Inc., said industry groups, such as the Banking Industry Technology Secretariat (BITS), can put pressure on vendors to ensure software is examined.
BITS last year established a security laboratory in Reston, Va., operated by Global Integrity Corp., to test the security features of banking applications. "If a product doesn't pass, you are going to have a problem getting in the door" of a financial institution, said Katz.
Businesses that plan to offer digital signatures to consumers may have a tough sell ahead of them, according to an opinion poll released Monday by the ITAA. In a telephone poll of 1,000 adults, 70% of respondents said they wouldn't feel safe using digital signatures. Harris Miller, president of the ITAA, said the results clearly indicate that the public is skeptical. "Leaders of the New Economy have an educational challenge," said Miller.
But more respondents -- 42% vs. 21% -- were inclined to trust businesses over government when it came to protecting their personal data. Thirty-seven percent surveyed didn't answer this question.
J. J. Disini, a Manila-based attorney, offered a postscript to the Love Bug virus incident that had the conference audience laughing.
The technical computing college that the alleged author of the Love Bug virus attended before he dropped out has developed a program to place students in jobs in foreign countries, said Disini. He said the school's tag line for selling itself could be: "If our dropout can cripple the world's systems, imagine what our graduates can do."