Cyber Eye: IT security needs both a carrot and a stick
The National Strategy to Secure Cyberspace, released by the White House in February 2003, called for public-private partnership to protect the nation's vital infrastructures. Over the past two months, the National Cyber Security Partnership has written a series of reports outlining how to accomplish it.
Although the task forces that produced the reports were developed with cooperation from the Homeland Security Department, members came primarily from the private sector. Not surprisingly, the thrust of their reports was that the private sector should voluntarily make more reliable hardware and software and secure its own infrastructures. The government should support those efforts with research funding.
The companies that produce and implement hardware and software for the nation's infostructure could do a much better job of securing their products and systems. The industry leaders who drafted the reports said companies really want to do the right thing, if someone would just point out what it is.
The problem with this approach is that the private sector's idea of the right thing depends on the bottom line of the next quarterly statement. Furthermore, the private sector finds enforcement cumbersome.
A more reliable means of ensuring reasonable performance would be liability. If vendors were held liable for damage caused by faulty products and flaws that could have been prevented, the right thing and the bottom line would rapidly converge.
The vendors say this is unnecessary and costly. If liability were established, companies would complain of frivolous lawsuits and runaway juries. Millions of dollars would be spent fighting lawsuits to the last drop of the last plaintiff's blood.
But the mere threat of payouts would have another effect. Software and hardware vendors would protect themselves with insurance coverage, and the insurers would in turn impose requirements on clients to lower their exposure.
Best practices in guidelines such as those from the National Cyber Security Partnership and other industry groups would quickly grow teeth. And insurers, unlike government regulators, would be immune to computer industry lobbyists.
I believe that hardware and software vendors really do want to do the right thing. I also believe it would be easier for them if they had some encouragement.