Will legislation be the answer to improving security?
- By William Jackson
- Jun 10, 2004
Whenever government and private-sector people come together to discuss IT security, the question of legislation to improve security is pretty sure to be debated.
Bob Woods, consultant and chairman of the Industry Advisory Council, and former head of the General Services Administration's Federal Telecommunications Service, thinks IT legislation is likely.
'You may very well see some happen in the next year,' Woods said at a security conference hosted in Washington by SecurE-Biz.net. The vulnerabilities and threats are too serious for legislators to ignore, he said.
Everyone involved in IT security, from software vendors whose products contain vulnerabilities through customers who must patch and manage the software to security companies selling protection, agree that improvements must be made in the quality of software.
The policies of the Homeland Security Department, influenced heavily by the private sector, focus on voluntary cooperation rather than government regulation to achieve these improvements.
Generally, corporate America is not eager to see legislation.
'Legislation or the threat of legislation is always a good incentive,' said John Johnson, head of corporate IT security for Intel Corp. But for the time being, he said, industry is occupied with Sarbanes-Oxley, a 2002 act regulating accountability of public companies. In other words'No new regulation, please.
Some government officials would welcome some regulatory help in managing their IT systems. Tom Kupiec, mission assurance officer for the National Geospatial-Intelligence Agency, a global mapping and intelligence agency, said one of his biggest headaches is spam.
'This is something that's gobbling up our bandwidth,' he said. 'I don't think there is enough legislation there.'
Congress has made a stab at controlling spam with the Controlling the Assault of Non-Solicited Pornography and Marketing ' the CAN-SPAM Act of 2003. Dave Marcus, chief technical security evangelist for Network Associates, called the act 'a good try. You've got to start somewhere.'
But Marcus was generally critical of Congress' approach to IT security. He said legislators do not understand the subject and fail to understand significant differences between threats and crimes in the real world and the digital world. Congress tends to either ignore a problem or to overreact, he said.
'The laws are being written by people who don't understand IT,' he said. 'They are not being written by guys who sit in front of terminals, eating Twinkies and drinking Jolt Cola.'
Marcus said that situation might be changing, as some tech people are beginning to go to law school so they can address these issues and have a say in the regulation of their industry.
William Jackson is a Maryland-based freelance writer.