Software Patches Eat Government ITs Lunch

  /     /     /  
Publicated : 22/11/2024   Category : security


Software Patches Eat Government ITs Lunch


The software industrys publish-now, update-later approach exacts a huge toll on government IT leaders like Robert Jack, CIO of the U.S. Marine Corps.



Netscape co-founder and prominent tech investor Marc Andreessen famously noted that
software is eating the world.
Unfortunately, its also eating the lunch of most enterprises, including federal agencies.
For all the talk about wasteful government IT spending, little is said about the costs agencies pay to patch buggy software, a consequence of the industrys predisposition to release their wares now and fix them later. For Robert Jack, CIO of the U.S. Marine Corps, those costs arent incidental.
We have roughly 300,000 people, of which a third have day-to-day access to the enterprise network, Jack said at a recent forum on cybersecurity. I have to defend the network at the desktop or end-user device. I have over 450 registered systems that are regressed to 10 significant versions. When we get a patch from a vendor, we have to go out and test that against all that.
He continued, Think about the labor hours where I have to touch [and administer patches on] all those devices. And thats just for one patch. Every week, dozens of new vulnerabilities are catalogued
by US-CERT
, the governments computer emergency readiness team, offering a glimpse of the headaches Jack and CIOs like him face.
Speaking to the software industry at large, Jack said bluntly, Youre killing me.
[ As cloud and mobile proliferates, federal IT leaders should take more data-centric approach to security. Read
Secure Data, Not Devices
. ]
The staggering cost of software bugs is hard to nail down. However, a
Cambridge University study
released earlier this year estimated that finding and fixing coding problems costs software makers and the global economy $312 billion a year. That doesnt reflect what customers must also spend to patch and maintain that software on their networks.
The problem, however, goes well beyond the mechanics of software and system maintenance. It also goes to the heart of network security and the growing risks associated with unknown software vulnerabilities, Jack said. Having spent 40 years in charge of command, control, communications, computers and cyber operations for the Air Force, the Defense Department and now the Marine Corps, Jack knows the problems as well as anyone.
Software by its nature is a work in progress. While vendors cant anticipate every problem, some of which are spawned when software interacts with other software on a network, vendors are making too many calculated compromises in order to ram their products and updates into production, Jack said. But worse, theyre exposing organizations and their executives to growing liabilities if something goes wrong.
Jack pointed to recent reports, which he didnt specify, indicating that 25% of hospital operating room liability lawsuits are now tied to software coding problems. Lawsuits based on software failures are also becoming a big concern for the auto industry, he said, and the issue has prompted high-level discussions within the Defense Department.
Its only a matter of time before the high-profile enterprises become targets for liability lawyers looking to exploit software mishaps, Jack warned, adding that those in positions of authority ought to consider looking for some big-time insurance. In a
recent article
on the growing threat of software product liability for the
Berkeley Technology Law Journal
, Lawrence Levy and Suzanne Bell noted, As society increasingly relies on software to perform critical functions in everything from manufacturing to life-support systems, the risk that an error in a software program will lead to economic loss, property damage or personal injury increases.
One of the big questions surrounding software liability, however, is whether computer software is a good or a service. Thats important, Levy and Bell say, because the sales of goods, but not of services, are subject to the damages and warranty provisions of the Uniform Commercial Code. The courts, however, are now beginning to consider cases involving not only the software itself, but also significant maintenance and support services, and this is likely to impact more and more organizations.
In the meantime, Jack concluded, software vendors arent likely to change the way they develop, test and deploy their products. Ive been beating that drum for 15 years, he said. I dont believe legislating software assurance is going to work. I need corporate citizenry to step up to the plate and take responsibility for what they put into their software.
About the only thing government agencies can do is manage their risks. The fast pace of software adoption has all but rendered the governments approach to software security certification and accreditation obsolete. In fact, the old certification and accreditation process has been gone for three years now, said Ron Ross, a senior security official at the National Institute of Standards and Technology, during the same forum.
NIST, which sets the security standards for government agency information systems, has moved to a risk management framework that calls on agencies to perform real-time network monitoring to identify attempts to exploit hardware and software vulnerabilities. About 10% of attacks will get through defenses no matter what, Ross said.
If you know that your system can withstand a cyber-attack and that malware cant spread through the network and bring you down, he added, authorizing officials should be in a better position to accept a certain degree of risk. However, most federal agencies inability to replace legacy systems due to lack of funding and cultural inertia makes it difficult to manage all the risks associated with so much software.
The challenge is only getting greater for CIOs like Jack as government agencies expand their networks into the cloud and extend their services to mobile devices. While those moves hold the promise of new and greater efficiencies, they also add more layers of software and the inevitability of more software patching.

Last News

▸ Nigerian scammers now turning into mediocre malware pushers. ◂
Discovered: 23/12/2024
Category: security

▸ Beware EMV may not fully protect against skilled thieves. ◂
Discovered: 23/12/2024
Category: security

▸ Hack Your Hotel Room ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Software Patches Eat Government ITs Lunch