Gartner Says House Bill 2970 Would Hinder, Not Help Internet Security

STAMFORD, CT -- Although House Bill 2970 was introduced with the goal of improving information security, it will likely do just the opposite, according to Gartner, Inc. (NYSE: IT and ITB). If passed, successful hacker attacks will increase more rapidly even though the legislation should cause an increase in spending on add-on security products. Bill 2970 would provide tax breaks for spending on add-on security products, but the incentive would not apply to spending on more secure products to replace products loaded with security defects. "The fatal flaw of this proposed bill is that it encourages spending to fix security problems instead of providing incentives to avoid them," said John Pescatore, vice president for Gartner's network security research team. "It's like when you live in an earthquake zone, building an earthquake-resistant house is a much more effective strategy than trying to shore up a shaky structure with 2x4s and steel rods. It is the same concept with enterprise software; safeguards must be built in to ensure security instead of adding fixes afterward to mend a weak system." According to Gartner, there are two reasons why increased security spending for add-on products would not lead to a reduction in hacker activity. The first is that there are many more targets for attackers because an increased number of servers are continuously being exposed to the Internet. The second and more important reason is that an increased surge of security flaws are appearing in the computer software products and platforms used to host Internet exposed applications. "To truly increase information security and decrease cyberattacks, enterprises should use their purchasing power, and the government should use any proposed legislation to encourage software vendors to develop and ship more secure products right from the start," said Pescatore. According to Gartner, the government should consider alternatives to Bill 2970. For example, the government could provide incentives to accelerate the process by allowing education tax breaks for security training of software developers, by removing antitrust and Freedom of Information Act barriers to software vendors sharing vulnerability information, and by demonstrating leadership in securing its own Internet-connected systems. For further information visit www.gartner.com