To regulate or not to regulate security? That is the question
- By William Jackson
- Feb 16, 2005
SAN FRANCISCO--A lively debate between software industry representatives, security advisers and technologists on the need for government security regulation generated lots of heat at the RSA Security Conference, but few surprises.
"Why is it we don't actually solve any problems?" asked Bruce Schneier, CTO of Counterpane Internet Security Inc., the panel's techie. "Why are the old attacks still around? I maintain that the problem is not technology, it's economics."
The solution, he said, was to change the economic equation through government regulation.
"Regulation increases the cost of not doing security, which increases security," he said. "That's how capitalism works."
Industry reps predictably disagreed.
"We have plenty of laws on the books," said Harris Miller, president of the IT Association of America.
Harris and Rick White, president of TechNet, an industry lobbying group, warned that regulation would stifle innovation, and that software companies will work best if left alone. "Much more needs to be done, but we are making good progress," Harris said.
Richard Clarke, former presidential cybersecurity adviser and now chairman of Good Harbor Consulting LLC, came down on the side of regulation, with some reservations. He said he opposed regulation during his tenure in the Clinton and Bush administrations.
"I thought regulation would be cumbersome and we should try some other way first," he said. "Unfortunately, Congress did not go along with that," and the result has been an inconsistent patchwork of industry and government regulations.
But the IT industry has done little on its own to improve the security of its systems and products, Clarke said. "Industry only responds when you threaten regulation," he said, and government must be willing to follow up on those threats. He called it "criminal" that Internet service providers are able to provide broadband service without providing firewall and antivirus protection.
Clarke, a primary author of the National Strategy to Secure Cyberspace, released two years ago this month, gave industry a grade of D-minus in its efforts to regulate itself, as recommended in the strategy. Schneier gave industry a C, but added, "I grade on a curve." Harris gave it a B.
"I'm not sure some of you have actually read the national strategy, otherwise your grades wouldn't be so high," Clarke said.
While Harris and White said that economic self-interest and the marketplace are the best ways to ensure better security, and warned against stifling what they portrayed as a fledgling IT industry that needs the freedom to grow and experiment. "You have to give the industry a little more time to work this out," White said.
But Schneier countered that while the marketplace can help by demanding security, it will not be able to finish the job. As long as it is cheaper for companies to ignore security, it will be ignored unless the government forces them to improve, he said.
William Jackson is a Maryland-based freelance writer.