At first glance, cyber crime may not seem like a major issue for a community like ours. Except in exceptional circumstances, why would a group that focuses on bidding, negotiating and contract management care about software security?
Last month, IACCM was invited by the US Federal Government to participate in a conference / workshop on this topic - and it quickly became evident why we should care and that this is an issue from which few of us will remain immune. To reinforce the point, I will quote from a Client Alert received today from international law firm Baler & McKenzie:
"We are in the midst of a significant expansion of corporate obligations regarding security for digital information. Most businesses are, or soon will be, subject to two key legal obligations:
• A duty to provide security for their corporate data and information systems; and
• A duty to disclose information security breaches to those who may be adversely affected by such breaches."
Today's software is designed with holes. Everyone knows there are holes - after all, software warranties are very clear - they specify that the product will not be error-free. Designers assume they will create 'patches' and 'fixes' once the program is in operation. They increasingly use remote access tools to undertake repairs. And these same holes are used by hackers and criminals to penetrate to the heart of today's corporations and public agencies.
While software was operating exclusively within closed networks, all the glitches could be annoying and they caused delay, but they were a tolerable price to pay for greater speed in new product availability and lower costs of licensing or acquisition. The big change came with the internet and external connectivity. Essentially, this has created a highway right into the core of any business operation - and the 'holes' in software applications represent open doors.
Today, how many of us sell or acquire products that don't incorporate software code? We may not think of our negotiation in terms of software -- but the majority of high-value transactions are in fact affected.
While the US Government believes that the long-term answer lies in improved software development procedures, it is realistic in assessing that these will take time to achieve - and the issue is far more immediate and critical. They also know that initiatives must be international if they are to be effective - software is produced all over the world. So they are seeking to drive changes in acquisition rules and policies, to ensure security issues are addressed as part of the vendor selection and negotiation process.
This is not just about imposing onerous terms and creating another source of buyer / seller confrontation (though it could turn out that way if there is not cooperative debate). The Federal Government hopes that much can be achieved through education and open discussion, that the sides can evaluate the potential exposures in a particular acquisition and then agree terms and procedures that establish appropriate levels of security.
That means work is under way to generate a comprehensive acquisition guide and the US authorities would like this to be an international effort; they emphasize that the exposures are global - the internet is everywhere - and the suppliers come from everywhere. Development is also worldwide, often through off-shore centers.
IACCM offers a potential source of assistance in several areas:
1. To provide commercial insights - especially from industries like Financial Service or Health, that may be at the leading edge of thinking on these issues (they clearly face particular exposures due to recent regulation);
2. To build a collaborative approach - confrontation with the supply community is not the best way forward
3. To ensure a global view and input - this will be better if it is an international solution
Still not convinced? Well, think about the dependency on software that you have in your day-to-day life. Consider how our sophisticated economies rely on software for their functioning. And recognize that this issue will be a major element of our selection, negotiation and contract management activities in the very near future.
If you have comments or advice to contribute, or would like to be part of the IACCM network reviewing and advising on this topic, please contact Tim Cummins - firstname.lastname@example.org.