Fri, Oct 6, 2000 9:04 AM
I apologize for the lateness of my comments. I realize the time has passed for these remarks but I thought I would attempt to get a critical issue across to you in the hopes of getting some attention to this subject.
The subject I want to address is computer and network security hardware and software. Almost every business, every institution, and many persons are connected in some fashion either via dedicated networks, by phone or cable, or via the Internet. This connectivity has led to an increase in the vulnerabilities associated with software and hardware products that provide security solutions. This includes firewalls, operating systems, communications software, and a host of other security products. The protection of sensitive data has become one of the most important activities any organization undertakes. The hardware and software products providing this protection have become paramount to all in protecting valuable personal, Governmental, and corporate data.
Imagine for a moment that you are the director of a large financial institution with millions of customers. You purchase security protection hardware and software such as firewalls, authentication applications, security protocols, and the like. This hardware and software are your first lines of defense against malicious attacks from the outside and inside. One Sunday evening, an attacker finds a vulnerability in the software you've purchased and compromises your global system. Theft of large sums of money, access to sensitive corporate data, or gleaning of credit card numbers is possible. During the investigation of the attack, you discover your firewalls have a defect in them that was known by the software vendor before you purchased them. What are your choices?
Under the current UCITA, you may have absolutely no recourse to recover your losses because of the nature of the current proposed law.
Now, I want you to think about all the security hardware and software purchased to protect classified U.S. Government secrets. Won't that make your day? And what will be your recourse?
As a security professional I believe the current, proposed UCITA has far to many technical loop holes and hiding places for vendors to cover themselves. Lack of technical skills, poor programming practices, and inadequate testing can lead to disaster for an unsuspecting customer. The old saying "Let the Buyer Beware" takes on new meaning when you deal with security.
I implore you to reconsider many of the problems areas of UCITA even if you just apply the changes to security products alone. The hackers are waiting gentlemen. Its only a matter of time.
Frank T. Bass