Governments Should Push Vendors to Eliminate Software Security Flaws, Researchers Say

Security incidents in cyberspace can be prevented if governments push the creators of operating systems to test their software more thoroughly before releasing their products, two of the United Kingdom’s leading authorities on computer security said.

Patches sent out by vendors after the release of an operating system have become the norm, but they suggest that the software has not been properly vetted, said Peter Sommer and Ian Brown in a report, “Reducing System Cybersecurity Risk,” produced by the Organization for Economic Cooperation and Development, a 34-member intra-governmental organization headquartered in Paris.

“Large numbers of attack methods are based on faults discovered in leading operating systems and applications,” the authors said.

Governments should use their procurement power, standards setting and licensing to “influence industry suppliers to provide properly tested hardware and software,” they said.

The report is part of a series looking at “future global shocks.” Sommer and Brown downplayed the possibility of a large-scale cyberwar having a widespread impact on the world.

The term “cyber-attack” is often overhyped, they said, and has come to encompass even the most ham-handed phishing attempts to steal a password.

“Rolling all these activities into a single statistic leads to grossly misleading conclusions,” they said.

“It is unlikely that there will ever be a true cyberwar,” they said. Critical computer systems are protected against known threats, and finding unknown vulnerabilities that can be used in a global attack is difficult. In addition, the perpetrators know the unpredictability of a war means that they would be equally damaged.

There is one potential “shock” that is not often discussed: a massive solar flare could physically destroy key communication components such as satellites, cellular base stations and switches, they said.

Topics: Cybersecurity