informa
Commentary

Software Patches Eat Government IT's Lunch

The software industry's publish-now, update-later approach exacts a huge toll on government IT leaders like Robert Jack, CIO of the U.S. Marine Corps.
In a recent article on the growing threat of software product liability for the Berkeley Technology Law Journal, Lawrence Levy and Suzanne Bell noted, "As society increasingly relies on software to perform critical functions in everything from manufacturing to life-support systems, the risk that an error in a software program will lead to economic loss, property damage or personal injury increases."

One of the big questions surrounding software liability, however, is whether computer software is a good or a service. That's important, Levy and Bell say, because "the sales of goods, but not of services, are subject to the damages and warranty provisions of the Uniform Commercial Code." The courts, however, are now beginning to consider cases involving not only the software itself, but also significant maintenance and support services, and this is likely to impact more and more organizations.

In the meantime, Jack concluded, software vendors aren't likely to change the way they develop, test and deploy their products. "I've been beating that drum for 15 years," he said. "I don't believe legislating software assurance is going to work. I need corporate citizenry to step up to the plate and take responsibility for what they put into their software."

About the only thing government agencies can do is manage their risks. The fast pace of software adoption has all but rendered the government's approach to software security certification and accreditation obsolete. In fact, "the old certification and accreditation process has been gone for three years now," said Ron Ross, a senior security official at the National Institute of Standards and Technology, during the same forum.

NIST, which sets the security standards for government agency information systems, has moved to a risk management framework that calls on agencies to perform real-time network monitoring to identify attempts to exploit hardware and software vulnerabilities. About 10% of attacks will get through defenses no matter what, Ross said.

If you know that your system can withstand a cyber-attack and that malware can't spread through the network and bring you down, he added, authorizing officials should be in a better position to accept a certain degree of risk. However, most federal agencies' inability to replace legacy systems due to lack of funding and cultural inertia makes it difficult to manage all the risks associated with so much software.

The challenge is only getting greater for CIOs like Jack as government agencies expand their networks into the cloud and extend their services to mobile devices. While those moves hold the promise of new and greater efficiencies, they also add more layers of software and the inevitability of more software patching.

Recommended Reading: