In security it’s about accountability

Thursday, May 27, 2010 @ 03:05 PM gHale


It is all about accountability and when it comes to security, the implications could be very severe.
In most business situations, “if we have a contractual arrangement and you fail [to meet the requirements], I have legal recourse,” said Richard Marshall, director of global cybersecurity management at DHS during the SecureAmericas conference in Arlington, Va.. “Why wouldn’t the same be true when the supply chain [is involved]? I’m buying a product from you, and you represent that it’s a product with the following characteristics. If you fail, I have a right to sue you.”


Failures in the supply chain led to serious security implications, including hard drives infected with viruses that infiltrated the U.S. market from Asia in 2007 and a case where thumb drives shipped preinstalled with malicious software, which eventually led to the Defense Department imposing a temporary ban on the storage devices, Marshall said.
“Buy from an authorized vendor and make sure that vendor has purchased from an authorized vendor,” Marshall said.
Federal technology and acquisition officials must write contracts that set specific expectations for how industry secures computer hardware and software, including assurances the products they purchase from suppliers and the development processes followed best practices.
“Both sides have to operate under due diligence in defining characteristics [of the contract],” Marshall said. “You’re going to want to design a contract in your favor, and I will in mine. There’s that constructive tension, but I believe it’s [productive] if we have the same objective, which is building good quality stuff.”



Leave a Reply

You must be logged in to post a comment.