A clear way to fix security woes

Public disputes are unlikely to be the best way to handle dangerous vulnerabilities. A more responsible way is needed

Any state of affairs which creates three impossible positions needs to be fixed. When that state of affairs directly affects the viability of the Internet at its most fundamental level, it needs to be fixed fast. When Cisco declares that it has been placed in an impossible situation by revelations from a security analyst, the analyst claims the same because of Cisco's intransigence, and the rest of us are left wondering if the core routers in the Internet are going to get hacked to pieces, we can reasonably demand a swift solution.

Yet the problem seems intractable. A responsible analyst should of course go to the vendor whose products are compromised and reveal the information in confidence, and the vendor should then work as hard as is reasonable to effect repairs. When the parties disagree about significance and impact, we descend into an intractable mess of motive, ego, profit and face-saving where the right course of action may be impossible to ascertain.

The solution is mediation. We propose a clearing house for security claims, a certifying body composed of vendors, independent industry and government experts, and with strong connections at CIO level. Reports of problems can be made in confidence to the clearing house, which then has the responsibility to negotiate a timetable for the fix with the vendor concerned. It has the sanction of decertifying a product if it is dissatisfied with the vendor's response — a process which will signal to customers that there is a problem without exacerbating it through detailed revelation — and can also reward researchers with recognition worth more than self-publicity.

In the long term, it is too dangerous to rely on one vendor for critical infrastructure. Single points of failure are bad engineering, and a single point of failure with multiple global vulnerabilities is frighteningly bad engineering. It may be that in time it will be a requirement for vendors of critical systems to co-operate at a level that makes proper multi-source redundancy not only possible but simple, and it would be a proper extension of the clearing house's work to encourage the development of such standards.

Meanwhile, all we can do is hope that whatever problems are in Cisco's operating system are fixed rapidly and effectively, and that Michael Lynn really did do the right thing. Hope is a poor substitute for logic; if we want to forestall such problems in the future, we'll have to take a different route.