CYBEREYE

Can cybersecurity profit from corporate self-interest?

A panel of telecom industry executives made a strong plea to Congress during a recent hearing that cybersecurity regulation would stifle innovation and could actually make their networks less secure. Market forces, they said, will protect them much better.

But current events show that relying exclusively on market forces as an incentive for securing networks, coupled with an insistence that all regulation is bad for security, does a disservice to those who rely on this critical infrastructure. Not only are the networks themselves vulnerable to attack, but they also are channels for delivering attacks to enterprises, IT systems and end users around the world.

AT&T CSO Edward Amoroso was the staunchest opponent of regulation to testify before the House Energy and Commerce subcommittee on Communications and Technology on March 7.


Related coverage:

Industry to Congress: Hands off cybersecurity

Bipartisan cyber bill now the center of partisan turf war


“Overbroad regulation and certification requirements will likely have unintended consequences, such as emphasizing the status quo by focusing on yesterday’s challenges,” he said. “An overly prescriptive approach can only serve to stifle Internet innovation and the technology leadership of the United States in the global information infrastructure. Quite simply, innovation is inconsistent with standardization.”

That is a strange attitude in an industry that has thrived as a direct result of standardization; in which standardization has resulted in innovations almost unimaginable a few years ago, such as wireless pocket-sized computers that dwarf the power of original desktop PCs.

But just as strange is Amoroso’s statement that “we are being out-innovated by our adversaries,” and that AT&T is confronted with malware “so good and so well-crafted that we marvel at how far our adversaries have come.”

Why are we being out-innovated?

If market forces are all that are needed to compel companies to defend their networks, how is it that the telecom industry, which is fettered by no cybersecurity regulation, is being out-innovated by its adversaries?

If commercial self-interest is the only incentive necessary for cybersecurity, why is the security of privately owned critical infrastructure an issue today? Why is Congress considering regulation?

“Burdening the private sector with the cost of unnecessary and ineffective regulations and processes . . . will only slow advances in cybersecurity,” Amoroso said.

But he is being disingenuous when he refuses to consider the possibility of necessary and effective regulation.

It would be wrong to dismiss out of hand the industry’s argument that commercial self-interest is an incentive for effectively securing its networks. It obviously is, to some extent. And it would be wrong to dismiss industry calls for better information sharing within the industry and between the private sector and government. Cooperation between the stakeholders is necessary and is today inadequate, although improving.

It also is true that a company can be doing a good job at security and still remain open to breaches. Absolute security is impossible, after all, and the presence of a vulnerability does not necessarily mean that an organization has ignored or failed at security.

But it also is wrong to ignore the fact that the security of the nation's critical infrastructure currently is inadequate, that commercial self-interest provides only limited incentive for security investments to a company that is dedicated to producing a profit for shareholders, and that the government has a legitimate interest in the security of the infrastructure that is critical to our economy and safety.

The government can protect that interest in two ways: By directly monitoring and defending privately owned networks, which probably is unwise, or by exercising responsible oversight with targeted and effective regulation that sets baselines for securing critical infrastructure. Such regulation would not be burdensome. Indeed, if a company already is doing everything it can to protect itself, it would not even notice such regulation.

Reader Comments

Tue, Mar 13, 2012

If it was not for regulation, standards, laws, guidance, or requirements the Government may not do anything or much as it relates to security – well at least until it is too late. FISMA is a paperwork exercise – but it requires the Government to invest in security infrastructure and therefore commercial organization to innovate in security and privacy solutions. Most (not all) commercial organizations use a simple metric for security - it is called profit. So if it does not affect the bottom line, it is just cheaper to do nothing, easier to pay fines, not worried about embarrassment, then commercial organizations make risk based decisions more reliant on costs on whether to support security or privacy programs. I am not beating up on the Government or commercial organizations (some are early adopters and innovators in these areas) – humans are just reactive (luckily we also adapt – so this attitude slowly changing). It is not coincidence that healthcare and banks invest in security and privacy – it makes financial sense and they are forced to (regulation). It is also not coincidence that infrastructure owners are resisting regulation – security and privacy programs and solutions are not free It is not my hope but we will most likely continue to leave all of our ships in Pearl Harbor and ignore the radar until the enemy wakes up this great giant again (FYI – the radar has been beeping for years). On another note - I am sure when new cyber security and privacy laws pass – AT&T will be first in line to be innovating and advertising how they can help the customers meet the requirements and support the new laws.

Mon, Mar 12, 2012

I agree with the first commentor. I work in Govt IT Security and we fall way behind our adversaries. If you think that more regulation is the answer look at our current security processes. They are reactive, not proactive and we will never get ahead until we change our paradigm...

Mon, Mar 12, 2012

You miss the point, like many people do, in thinking that the government can do anything effective in the cyber area much less in a regulatory role. There is an old saying that goes more or less "if the only tool you have is a hammer, then every problem tends to look like a nail". You only have to look at more than a decade of the paperwork-laden GISRA/FISMA to see that government can't even secure itself, much less industry that moves at a much faster pace. If the focus shifts to paperwork, which is what most regulation comes down to, then we've lost, and that's Amoroso's point. If you burden industry with paperwork showing they are protected from last years problems, then you've given the adversary another lead on top of the one they have now. The adversary does not have a lead because we don't regulate, they have a lead because we have not been innovative enough. The wrong thing to do would be to put a regulatory collar on that.

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above