RealTime IT News

Is Data Security Bill Misguided?

Government intelligence is sometimes an oxymoron, and that appears to be the case with House Bill 2970, introduced to improve data security but likely to do just the opposite, according to IT research and consulting firm Gartner Inc.

If passed, successful hacker attacks will increase more rapidly even though the legislation should cause an increase in spending on add-on security products, Stamford, Conn.-based Gartner said.

The measure, aimed at amending the Internal Revenue Code of 1986 to allow businesses to expense qualified security devices, would provide tax breaks for spending on add-on security products, but the incentive would not apply to spending on more secure products to replace products loaded with security defects, Gartner contends.

The bill was introduced Sept. 25 by Rep. Jerry Weller, R-Illinois and was referred to Ways and Means. It specifically mentions computers and software "used to combat cyberterrorism."

"The fatal flaw of this proposed bill is that it encourages spending to fix security problems instead of providing incentives to avoid them," said John Pescatore, vice president for Gartner's network security research team.

"It's like when you live in an earthquake zone, building an earthquake-resistant house is a much more effective strategy than trying to shore up a shaky structure with 2x4s and steel rods. It is the same concept with enterprise software; safeguards must be built in to ensure security instead of adding fixes afterward to mend a weak system."

Gartner said there are two reasons why increased security spending for add-on products would not lead to a reduction in hacker activity:

The first is that there are many more targets for attackers because an increased number of servers are continuously being exposed to the Internet. The second is that an increased surge of security flaws are appearing in the computer software products and platforms used to host Internet exposed applications.

"To truly increase information security and decrease cyberattacks, enterprises should use their purchasing power, and the government should use any proposed legislation to encourage software vendors to develop and ship more secure products right from the start," said Pescatore.