Task force issues more cybersecurity goals

WASHINGTON - IT vendors should improve default security settings in their products, a committee of the National Cyber Security Partnership Task Force (NCSP) said in a set of recommendations it has released on technical standards.

The NCSP's Technical Standards and Common Criteria committee released its cybersecurity recommendations Monday, with the group of academics, government officials, IT vendors and customers asking vendors to provide stronger "out-of-the-box" security configurations and to support at least one configuration profile that provides a baseline security level.

The 104-page committee report, available at http://www.cyberpartnership.org/TF4TechReport.pdf, is intended to put more pressure on vendors about default security settings and raise awareness about best practices and security audits, said Mary Ann Davidson, chief security officer at Oracle Corp., and cochairwoman of the committee. The committee is hoping to move the debate away from advice that vendors may or may not choose to follow, she said.

"We're trying to change the dynamic to, 'Vendors ought to do this,'" she said.

Her committee, which worked on the recommendations for about four months, revised its work to give the recommendations stronger wording, she said.

Among the recommendations:

-- Vendors should provide more substantive security recommendations, configuration checklists and best practices to customers.

-- The U.S. government, user groups and customers should encourage more independent security evaluations of IT products.

-- The U.S. government should help offset the costs of an IT vendor going through a Common Criteria security evaluation through tax credits or other methods.

-- The U.S. government should fund the development of code-scanning tools that detect flaws in software code.

But many of the recommendations place the responsibility for cybersecurity on vendors. "As an industry, we corporately need to do a better job of security infrastructure," Davidson said.

Davidson plans to take the recommendations, as well as others from NCSP, back to Oracle to see how her company can improve security, she said. "This is not done, we're not thinking, 'We've issued a report and we can go home,'" she added. "Most of us want to take it to the next level and show concrete progress."

The National Cyber Security Partnership was established to develop shared strategies and programs to better secure and enhance America's critical information infrastructure, following the release of the White House National Strategy to Secure Cyberspace in February 2003 and the National Cyber Security Summit in December. The partnership is led by TechNet, the Business Software Alliance, the Information Technology Association of America and the U.S. Chamber of Commerce.