US government calls for enforced patches

The US government's call to force security and virus patches on users has been met with consternation by the antivirus industry.

On Tuesday, the US president's computer security advisor Richard Clarke called for more forceful methods of distributing software fixes to personal computers.

Following the outbreaks of Nimda and Code Red, both of which exploited known vulnerabilities, Clarke said that "the problem is that people do not apply those patches".

He claimed that it shouldn't be "beyond the wit of this industry" to force patches on users. But antivirus firms have disputed this, arguing that many users have chosen to be in control of their own updating procedures.

Clarke believes that 90 per cent of virus attacks could be stopped if security vendors forced users to patch up their systems.

He also said that software should ship with the highest security settings as default. Typically, software vendors have claimed that they sacrifice some security for the sake of usability, but this should "not be an afterthought anymore", said Clarke.

However, Graham Cluley, senior technology consultant at Sophos, retorted: "I fear the US government is making comments without being fully aware of the facts."

Cluley explained that most antivirus vendors give their customers the option of automating updates but that "some businesses are reticent about outsourcing crucial security measures. For peace of mind, they'd rather implement their own updates to ensure they work properly for their environment."

Clarke also made the rather bold statement: "America built cyberspace and America must secure its cyberspace."

Cluley agreed that the US government does have a vital role to play in security, but said: "The US courts have still to sentence David Smith, even though it's more than two years since he pleaded guilty to writing the Melissa virus and causing $80m worth of damage."

"Sentencing could go a long way to deterring other virus writers," he added. "This would be a real boost to businesses operating under the threat of virus infection."