During a congressinal hearing today exploring a national strategy for cybersecurity, a noted cybersecurity expert appealed for the federal government to use its procurement strength to force vendors to deliver safer IT systems.
"Only massive procurement power can persuade vendors to deliver safer systems rather than the standard systems they sell at retail to businesses and consumers," Alan Paller, director of research for the SANS Institute, told the Senate Committee on Homeland Security and Government Affairs.
Paller told lawmakers how the Air Force was able to get Microsoft to deliver software with secure configurations "baked in" because Microsoft didn't want to lose out on the $500 million the military branch was about to spend on software over the next six years.
The idea now is for the federal government to learn from the Air Force's good example. Currently, Federal Acquisition Rules mandate that security be built into procurements from the start. That rarely happens, Paller said.
"There are no penalties or even checks and balances to ensure security is part of the acquisition strategy," he said.
Paller testified that only the vendors who sell the government technology can configure it securely. The government can convince them to do this, but only if it dangles huge contracts before their eyes and only gives them to vendors that build in security from the beginning.
"The $70 billion in annual federal IT spending is enough to get radically better security baked-in, but most agencies—other than the Air Force—are not yet using that procurement leverage to ensure systems come with security baked in," he said.
Paller said IT companies most certainly will complain and say "One size does not fit all." But the government should ignore them, he said, because it's wrong.
"Microsoft sells one size of Windows to tens of millions of people. Cisco sells one size of IOS to hundreds of thousands of people. Oracle sells one size of its database to tens of thousands of people. Hundreds of vendors sell only one size," he said. "One size, to all these vendors, clearly fits all."
The security gains will also ripple through the private sector, Paller argues. After its sale of products with the security baked-in to the Air Force, he said, Microsoft began to sell products with the same built-in security to other buyers.
Paller's testimony today came as President Obama's 60-day review of national cybersecurity capabilities is expected to be released any day. Cybersecurity experts expect the review will recommend creating a new cybersecurity cabinet position that reports directly to the president as well as closer private-public partnerships, among other recommendations.
But Paller believes these changes will achieve nothing if the government doesn't use its procurement power more strategically.
"If procurement is not fixed, nothing else really matters," he said.