***

For decades, the chemical industry in this country contaminated rivers, beaches, air, and parks. The leading-edge manufacturers that made our daily lives so much better and easier were also guilty of so much harm. And not because they were evil, but because they were capitalists. The extra expense to ensure clean air was redirected to a competitive outlet--to thrive in the marketplace. And without the clean-air and clean-water laws on the books today, we would still be drinking disease-causing water and breathing smoke-filled air.

Granted, capitalism and marketplace competition are the most powerful engines for human progress. But these much-admired engines must be combined with good law to strive for perfection. For one thing, the law ensures a level playing field. If everyone has to pay to comply, then the good guy does not incur a disadvantage.

Now consider the situation in today's digital economy. Software providers and network-based services regard security as an expense to curb, a job to minimize, a line-item to pare down on the budget sheet. A new ad campaign would increase sales, but if the same money goes into sophisticated pattern-recognition software to catch infrequent intrusions, then those added sales will not be there. So, the thinking goes, if security is a priority, you end up with a poorly promoted, highly secure product that nobody is buying.

As a result, in today's cutthroat, competitive world of information technology, one does not have the luxury to be generous with security dollars. And, what's more, everybody does the same thing. Version 1.0 of anything is a product to avoid because vendors and suppliers rely on actual crashes, intrusions, and losses to expose the holes in their products. It's cheaper than hiring an army of white-hat hackers. Since everyone is in the same boat, there are no repercussions, no costs for security flaws. This makes security patches a way of life even for high-end products. Imagine a car company saving on crash tests by relying instead on roadside collisions and live accidents to expose design flaws.

As with air and water pollution, a good, sensible piece of legislation would fix this sorry state of affairs. The two main components of such legislation should be (1) liability, and (2) third-party certification.

You can't use even freeware or shareware today without signing off on a user agreement that releases the vendor from any liability whatsoever. We don't grant this immunity to car manufacturers or to food purveyors. What's the difference with computer applications? There is one key distinction: A single, impoverished teenager may distribute a million copies of his software. He cannot be held financially liable for damages. After all, a strict and inflexible liability law would crush innovation.

This reality must be acknowledged, and the law must be tailored to the deep pockets of the large software houses. Big users, starting with the federal government itself, should ask for vendors to be bonded, to submit to arbitration, and to be accountable for clear and obvious security risks that a reasonable professional may be expected to spot.

A policy of "don't ask, don't tell" runs silently in software houses with respect to security flaws. Who wants to be the one to tell the boss that the release date of the highly anticipated new version will have to be postponed because programmers just discovered a big security hole? That's why it might be necessary to legislate a requirement for an independent security audit conducted by a third party. Much as a CPA thrives on his reputation for accuracy and honesty, so it should be for dedicated security auditors. Their blessing would be a necessary requirement for contract work.

Once they were required to attach to their products a security bill of health, vendors would soon learn that it is best to involve that security maven at the very early stages of the design, since retrofits are much more expensive.

A fit punishment for a repeat security violator might be for a court to order the offender to 'strip naked in public,' that is, expose the product source code to allow the professional community at large to spot security holes and fix them.

Both elements, liability and third-party certification, are not easy to write into law. One lawmaker's staffer intimated to me that any such law would likely be botched, misapplied, or do more damage than good. But, then again, we now have a brand new Congress. Maybe they'll take it as a challenge!