What's fed role in private IT security?
- By William Jackson
- Dec 12, 2003
The government has a part to play to ensure security of the nation's IT infrastructure, but experts in a roundtable discussion today could not agree what it should be doing.
'Best practices are good, but teeth are better,' said Peggy Weigle, chief executive officer of Sanctum Inc. of Santa Clara, Calif., which sponsored the roundtable.
Weigle, who favors regulation, said 'I do think government should define the guidelines' for IT security.
Former White House cybersecurity adviser Richard Clarke was less enthusiastic about regulation, calling it potentially dangerous. Clarke now chairs Good Harbor Consulting LLC of Arlington, Va.
Although leery of regulation, Clarke acknowledged a lack of success in getting industry to adopt best practices on its own. He fostered information sharing and analysis centers in several industry sectors to facilitate cooperation.
'We had hoped that the ISACs would come up with best practices, but they haven't in most cases,' he said. 'I wouldn't mind the government giving a little impetus in this area.'
Clarke said regulations, if they do come, should be applied carefully and sector by sector. To be effective, he said, they should mandate third-party audits.
The government's auditing requirements are 'one of the reasons the financial services sector is probably the best in cybersecurity,' he said.
John Pescatore, vice president of research for Gartner Inc. of Stamford, Conn., called for the government to lead by example, rather than by regulation.
'I don't think [the Homeland Security Department] should define legislation,' he said, but should instead set an example by first securing its own IT systems.
Pescatore said licensing agreements and the sheer complexity of software have kept software vendors from being held accountable for the flaws in products they sell.
'I think we need to see more liability put on the manufacturers of software,' he said.
Clarke and Weigle, however, said the onus should be on buyers and users to demand better products.
'What we don't want to do is put a lot of liability on vendors,' Weigle said.
'I don't think we need to go down the path of legal liability here,' Clarke said, because he believes it would benefit no one except lawyers.
William Jackson is a Maryland-based freelance writer.