The federal government should set goals for reducing flaws in computer software that allow attacks by hackers, and other regulations might be necessary to better protect cyberspace, an industry task force said yesterday.
Despite rising incidents of worms, viruses and identity fraud that have cost businesses and consumers as much as $10 billion a year, technology companies have fiercely resisted calls for government intervention that would require companies to provide safer software and strengthen their networks.
Many cyber-security experts have argued for years that such measures are needed in a world where an attack on one computer or network can rapidly spread to thousands or millions of others. They also cite the risk of cyber-terrorism, aimed at networks that control energy, water and other critical services.
The report issued yesterday stops short of specific mandates, focusing primarily on broad, voluntary measures for both the makers of software and the network operators who use it.
But the task force, headed by representatives of software giant Microsoft Corp. and security vendor Computer Associates International Inc., suggested some rules might be needed.
"It is possible that national security or critical infrastructure protection may require a greater level of security than the market will provide," said the report.
The task force, whose members include technology and non-technology companies and some academics, is one of four such groups created in December in a partnership with the Department of Homeland Security. A year ago, the Bush administration issued several rules for federal agencies to improve computer security but directed the Department of Homeland Security to work with the private sector to develop voluntary strategies for businesses.
Other recommendations in the report include: increased funding for cyber-security research at universities; improved university certification programs that stress security training for engineers; and a Department of Homeland Security evaluation of software vulnerabilities.
"To have a secure U.S. cyber infrastructure, the supporting software must contain few, if any vulnerabilities," the report said. "The quality of software . . . is frequently not adequate to meet the needs" of computer users and network operators.
But willingness expressed in the report to consider regulation did not satisfy some critics.