Congressional Internet Caucus Letter

Download PDF

October 2, 2001

To:     Members of the U.S. Congress, Congressional Internet Caucus
Fr:     U.S. Policy Committee of the Association for Computing Machinery (USACM)
          Contact: Jeff Grove, Director of Technology Policy, USACM, (202) 659-9711
Re:    Legislative Recommendations to Secure the U.S. Computing Infrastructure

We understand that Congress is currently considering many legislative initiatives to address issues of security and law enforcement related to terrorism. We would like to put forth some suggestions for legislative initiatives that will help secure the U.S. computing infrastructure against malicious attacks, whether from terrorists or common criminals.

Many of the current security problems faced by both government and industry stem from the acquisition and use of software that is poorly designed, rushed to market, and/or inadequately tested. This software is often adopted for use based on price rather than quality or safety. Security personnel often point-out that they are forced to use COTS (commercial off-the-shelf) software with a poor history of security because of issues of cost and lowest bid.

We encourage Congress to consider legislative action that will:

  • require Federal specification and evaluation of data processing software and equipment to include explicit requirements for standard security features and proof of comprehensive testing for faulty code;
  • require that vendors disclose a full 3 to 5-year history of security flaws, patches and exploitations of the products (and similar products by the same vendors) proposed in response to Federal solicitations, and require that the evaluation of such proposals give significant consideration to these histories;
  • allow Federal acquisition of computing services and equipment to be done from other than the lowest bidders if product security and safety are judged to be significantly stronger than that of the low bidders;
  • disallow vendors from disclaiming liability for products coded with software practices that are well-known within the security and software engineering communities to be careless and dangerous;
  • enable "software self defense" -- explicitly allow consumers to reverse-engineer software or hardware products if that reverse engineering is done to expose or repair software faults or design errors that reduce the safety or security of the products;
  • enable "software community defense" -- invalidate any license or legal prohibition that restricts publication of benchmark studies, product reviews or other descriptions of the products or algorithms when that publication is made to expose or facilitate repair of flaws that reduce the safety or security of the products.

Page Two:
USACM Memo to U.S. Congress
October 2, 2001

Our national (and international) infrastructure depends on the correct functioning of our computing infrastructure. It is distressing that issues of cost have led the Federal government to acquire and deploy some COTS products in defense, law enforcement, and fiscal operations that are known to be buggy and difficult to secure. Unfortunately, ensuring safety and quality is more expensive, and there have been insufficient incentives for some vendors to pursue -- seriously -- better quality. We request that Congress consider helping to address this issue before we are further endangered. The Internet generally functions well as a cost effective means of data communication. That makes it imperative for those who use it - corporate and consumer alike - to take the initiative to see that the software they own and use meets their own real security and reliability needs.

The ACM is a leading society of computer professionals in education, industry, and government.  The USACM Public Policy Committee, co-chaired by Dr. Barbara Simons and Dr. Eugene Spafford, facilitates communication between computer professionals and policy-makers on issues of concern to the computing community.  For more information, please contact Jeff Grove, Director of the ACM Washington Policy Office at (202) 659-9711, or see the USACM policy web site at: <>.



Related Articles

Global Technology Policy Newsletter – March 2017
ACM PUBLIC POLICY HIGHLIGHTS ACM provides independent, nonpartisan, and technology-neutral research and resources to policy leaders, stakeholders, and the public about public policy issues, as drawn from the deep technical expertise of the computing community. Apply for the new A ...Read More

  • (Posted on 12-Mar-17)
  • ACM Joint Task Force on Cybersecurity Education Grabs Spotlight at U.S. Congressional Hearing
    The ACM Joint Task Force on Cybersecurity Education seized the spotlight during a congressional hearing on “Strengthening U.S. Cybersecurity Capabilities” on Capitol Hill on February 14, 2017. The hearing before the House Science, Space, and Technology Subcommittee on ...Read More

  • (Posted on 18-Feb-17)
  • Global Technology Policy Newsletter – February 2017
    ACM PUBLIC POLICY HIGHLIGHTS ACM seeks to educate policymakers, the computing community, and the public about policies that will that foster and accelerate innovations in computing, computing education, and related disciplines in ways that benefit society. ACM Statement on U.S. E ...Read More

  • (Posted on 12-Feb-17)
  • ACM Sponsors Data Sciences Education Roundtable at the U.S. National Academies of Sciences
    ACM is sponsoring a new 3-year initiative by the National Academy of Sciences on data science postsecondary education. A series of roundtable discussions will bring together representatives from academia, industry, funding agencies, and professional societies to explore the trans ...Read More

  • (Posted on 17-Jan-17)
  • Global Technology Policy Update – December 2016
    ACM PUBLIC POLICY HIGHLIGHTS Cybersecurity Education and Research in Europe – The ACM Europe Policy Committee released a policy white paper “Advancing Cybersecurity Education and Research in Europe.” Committee Chair Fabrizio Gagliardi recently presented the find ...Read More

  • (Posted on 12-Dec-16)
  • Global Technology Policy Update – October 2016
    ACM PUBLIC POLICY HIGHLIGHTS Computer Science Education and Research in Europe – ACM Europe Policy Committee members will be attending the European Computer Science Summit in Budapest, Hungary on October 24-26, which features programs on the challenges and opportunities in ...Read More

  • (Posted on 09-Oct-16)