_____Washtech_____ • More Cybersecurity News E-Mail This Article Print This Article Permission to Republish

By Neil Irwin
Washington Post Staff Writer
Friday, May 17, 2002; Page E05

Major software companies, government agencies and academics yesterday launched a consortium that aims to find ways to make software more dependable and secure.

Carnegie Mellon University in Pittsburgh announced the creation of Sustainable Computing Consortium, a group whose founding members include Microsoft Corp., Raytheon Co. and NASA. The group intends, among other tasks, to figure out specifications for software quality so that sellers and buyers of computer programs will have a uniform way to measure quality.

The ultimate result of those standards might be word processors that are less likely to freeze up during use, data-processing centers that operate 99.99 percent of the time instead of the 99.9 percent of the time they work now, and insurance companies that are better able to gauge the risk that a client's customer database will get hacked and can therefore appropriately price insurance coverage.

The effort intends to pull in expertise from a broader group of people than just computer scientists, said William Guttman, a professor of economics and technology at Carnegie Mellon who is director of the consortium. He cited studies that concluded that defective software cost businesses worldwide $175 billion in 2001 and that 45 percent of computer downtime is because of software glitches.

"This should not be just technical work on algorithms and methodologies," he said. "We're involving economists, public policy experts and lawyers as well as software engineers."

The work has particular impetus from Sept. 11, Guttman said, because corporate and government computer systems must be protected from both lone computer hackers and organized terrorists.

For example, he said, one common flaw in computer programming is called a "buffer overflow," which is common in the underlying architecture of software both simple and complex.

"Buffer overflows are not just a bug that causes a system crash but an avenue by which hackers or terrorists can exploit organizations," Guttman said. "It's a hole through which they can enter a software system."

The consortium, he said, will develop tools, procedures and measurement capabilities so that programmers can better avoid buffer overflows and so that companies buying software can know how prevalent the bugs are in the software before buying it.