One might argue in favour of regulatory action to make this point clear However

One might argue in favour of regulatory action to

This preview shows page 59 - 61 out of 114 pages.

transpositions of the Product Liability Directive. One might argue in favour of regulatory action to make this point clear. However this is a somewhat indirect way of proceeding; we might have to wait years for an ISP or other injured party to drum up the courage to 59
Image of page 59
launch the needed test case. Option 3: Laissez-faire The third option, which should at least be mentioned, is to do nothing. For example – as we will discuss below – Sun and Hewlett-Packard are much slower to patch than Microsoft or Red Hat, and so (in the business sector at least) the mere provision of authoritative, unbaised information about the level of assurance provided by different vendors’ offerings may be sufficient to enable competitive pressures to fix the problems over the medium term. In the case of consumers, however, there is little choice: people can either buy Windows, or pay significantly more for Apple machines (which also run fewer applications). Option 4: Safety by default The fourth option is that, when selling PCs and other network-connected programmable devices to consumers, vendors should be required to configure them so that they are secure by default. It’s illegal to sell a car without a seatbelt, so why should shops be allowed to sell a PC that doesn’t have an up-to-date operating system and a patching service switched on by default? We believe that this gives a more direct approach to the problem than option 2; and of course vendors who sell insecure systems should be exposed to lawsuits from ISPs and other affected parties. Recommendation 5: We recommend that the EU develop and enforce stand- ards for network-connected equipment to be secure by default. The precise nature of ‘secure by default’ will require some consideration. At present, the most important issue is whether the operating system is patched when the customer first gets it, and subsequently. The UK House of Lords, for example, suggested mandatory ‘best-before’ dates on PCs, as these often sit in the supply chain for months and, once connected to the Internet, can be infected before the users even have time to connect to Microsoft to patch them up to date. Clearly, in such a case, the liability should fall on the shop rather than on the software vendor. Another solution would be to supply each PC with an up-to-date CD of patches; another might be to apply patches from a memory stick in the shop; yet another might be to redesign the software so that the machine would not connect to any other online service until it had visited the patching service and successfully applied an update. Regulation should seek to enforce the principle of security by default rather than engineer the details, which should be left to market players and forces. And we are careful to specify ‘all network-connected equipment’ rather than just PCs; if we see more and more consumer electronic devices online, but without mechanisms for vulnerabilities to be patched, then in due course they’ll be exploited. ‘Secure by Default’ isn’t just limited to patching. There are issues with active content (ActiveX, Visual Basic and JavaScript), which will no doubt change over time. Another
Image of page 60
Image of page 61

You've reached the end of your free preview.

Want to read all 114 pages?

  • Left Quote Icon

    Student Picture

  • Left Quote Icon

    Student Picture

  • Left Quote Icon

    Student Picture