@Info.Policy: Legislate IT security? When pigs fly
- By Robert Gellman
- Aug 21, 2003
One line that always gets a laugh from an audience is, 'I'm from the government, and I'm here to help you.' Or how about, 'I'm from Congress, and I will pass legislation to improve computer security.' Bet you're rolling on the floor over that one, too.
It may not be a joke. In recent weeks, Rep. Adam Putnam (R-Fla.) has been making noises about legislation to mandate computer security standards for the private sector. Putnam chairs the House Government Reform Subcommittee on Technology, Information Policy, Intergovernmental Relations and the Census.
Putnam, a Republican, wants to legislate private-sector computer security. That's right. A Republican wants more regulation. Was that a pig that just flew by my window?
Some elements of computer security are easy: Install the software patches and close the holes. Unfortunately, not enough people do that very well, and legislation is not likely to help with the management side. You can't legislate good management.
Other elements are hard. One of the few people in the computer security business that I have consistently heard making sense is Bruce Schneier, chief technology officer of Counterpane Internet Security Inc. of Cupertino, Calif. Schneier has recommended, among other things, using the liability system as a stick.
If companies were liable for the security of the hardware and software they produce, they might be motivated to do better. If nothing else, they would have to improve their products just to get insurance coverage at a reasonable price.
Schneier has argued that liability is a common capitalistic mechanism to deal with situations where the market doesn't properly motivate producers because they don't bear the risks of failure. That is why we have strict liability for consumer products such as seat belts and air bags.
Manufacturers can be too remote from consumers to care enough about product safety, but strict liability focuses their attention and produces results. The same idea could work for computer security.
Despite Schneier's characterization of the liability approach as capitalistic, the idea isn't likely to get much traction with Republicans. If you have been watching the legislative wars about spam or privacy, you may have noticed that Republicans do not want to create private rights of action'letting people who have been harmed sue those responsible. Class-action lawsuits are highly disfavored because trial lawyers support Democrats.
Keep in mind that Putnam's subcommittee doesn't have jurisdiction over the private sector, so it can't do much in the way of legislating private-sector computer security anyhow. The committee could try to do something about government computer security, but we have had such legislation for years and little to show for it.
With so many competing interests, substantive computer security legislation is highly unlikely.
Good thing, too. Whatever is needed to improve computer security, isn't going to come from Congress. Robert Gellman is a Washington privacy and information policy consultant. E-mail him at [email protected].