Google exec calls for new software security frameworkReprints
NEW YORK — As organizations grow increasingly dependent on technology and the Internet, new frameworks need to be devised to provide incentives for software producers to create more secure products, said Vinton G. Cerf, vice president and chief Internet evangelist for Google Inc.
Referring to the recent breach of millions of files at the Office of Personnel Management containing personal information on current and former federal employees, Mr. Cerf said the incident showed that financial compensation could not undo the harm that was done and a different approach needs to be adopted.
“There need to be reasonable steps taken to make software less vulnerable … but what sort of things should a company that makes or uses software do to argue that they are taking reasonable steps?” he asked during a session at the Global Insurance Forum in New York, which is sponsored by the International Insurance Society.
The level of regulation should be determined in part by the circumstances, and determining the risk and liability exposures plays an important role in devising the regulatory framework, said Mr. Cerf.
For example, software used in medical devices, where patients' lives are at stake, needs to be held to a higher safety standard than software used to create “apps that tell you when your bus is coming, but how do you judge the range of consequences of failure? A lot of work needs to be done to categorize the various types of software you use and whose fingers are in the pie,” he said.
The consequences of software failure may not be immediately apparent, Mr. Cerf said. For example, heat sensors in a building may seem like a low-level security risk, but a sophisticated analysis of the changes in temperature can show when a building is occupied and when the occupants usually leave and return, which is valuable information for criminals, he said.
“We need to figure out how to move the software industry to a place where it is safer, more secure and more able to preserve privacy,” Mr. Cerf said.