Bugless software is key to cyber security and global vendors should pay hackers who have detected program bugs and so helped pre-empt attacks, a top IT expert told a NATO cyber security meeting here Thursday.
“Software vulnerabilities enable breaches. If we want to make cyber space safer, we need to find a way to force vendors to produce more secure software,” Charlie Miller told some of the world’s top IT security experts attending NATO’s third annual cyber defence conference.
Renowned in IT circles for having detected bugs in Google’s Android software and being the first to find a critical bug in the MacBook Air, Miller has also worked as computer security specialist at the US National Security Agency.
He charges that the reluctance of software vendors to pay hackers for weeding out program bugs is a factor contributing to online security breaches.
“Vendors don’t like to pay for (the detection of) bugs because of many reasons, among other things they’re afraid it will encourage people with good IT skills to find bugs, or it may make competitor’s software look more secure,” he said, noting that companies like Mozilla and Google have paid up to 3,000 dollars (2,053 euros) for information on software flaws.
“There are some unused solutions we can consider. Vendors could step up and pay those who find bugs — major vendors can cooperate to pay into a fund that pays for bugs and governments too can encourage the vendors to pay for (the detection of) bugs,” he insisted.
NATO announced plans this week at its Tallinn conference to beef up alliance cyber defence capabilities with the creation of a special task force to detect and respond to cyber attacks.
The Symantec cyber security firm recently reported that web-based attacks in 2010 were up 93 percent from 2009.
The June 7-10 NATO cyber security conference attended by 300 top IT experts from across the globe focuses on the legal and political aspects of national and global Internet security.