The Role of Government in IT Security
Special report, RSA Conference 2004: In a nutshell, panelists in IT governance discussion agree that government should play limited role, but they diverge on approaches.
How large a role should government play in computer
security? That delicate question was discussed before an audience of IT
security folks—the types who are famously skeptical of, or even downright
hostile to, any suggestion of government interference in their industry.
During a panel discussion at RSA Conference 2004, three executives with
experience in information security and government generally agreed that
although there's a role for government to play, that role should be limited.
Richard Clarke, former cyber-security advisor to the White House, said
that he feels in general that "regulation of cyberspace is a bad
idea." He also pointed out, though, that there is regulation already
in place like Sarbanes-Oxley and HIPAA.
He then explained the circumstances under which he would like to see
oversight. "I don't want regulation unless we have 'market failure'—that
is, if market forces don't force people to create secure products; then
the government should step in."
Clarke mentioned the scourge of worms and viruses that appeared in 2003
and said "last year looked a lot like market failure." Clarke
didn't mention Microsoft products by name, but it would be hard to escape
the conclusion that he would have lumped Windows into that category.
That prompted a response from Scott Charney, Microsoft's chief strategist
for Trustworthy Computing. He claimed that products weren't made as secure
as they could have been in the past because "the markets weren't
demanding security, so the vendors weren't building security" into
their products. He then mentioned how Microsoft products have gotten more
secure over the past several years, but added that he's not sure that
security should be a market-driven initiative.
"Throughout the '90s, we as a society delegated public safety and
national security to market forces. Well, you can't do it. You couldn't
make an economic case for the Cold War, or public safety or defense. You
can't be robbed and then have a cop say 'For $50, I'll chase him.' "
Charney believes a market for IT security has developed, but "even
if we devote time and attention to the problem, it's going to take time"
for the new security efforts to affect change in the industry due to the
predominance of legacy systems still in place.
|James Lewis, director, public policy program,
Center for Strategic and International Studies (third from right),
moderated Wednesday's information governance panel, which featured
(l. to r.) Robert Holleyman, president and CEO of the
Business Software Alliance; Richard Clarke, chairman, Good
Harbor Consulting, LLC and former cyber-security advisor to the White
House; and Scott Charney, Microsoft's chief strategist for
Trustworthy Computing. (Photo: Richard Bambery)
Panelist Robert Holleyman, president and CEO of the Business Software
Alliance, weighed in with his opinion that although some government involvement
may be necessary, a more important change that needs to occur is buy-in
from upper management.
He mentioned the findings of a recent IT security task force that found
that "information security isn't just a technical problem, but needs
to be in the executive room and in the board room.
"The goal is to establish [methods and procedures] that go beyond
best practices and make it part of management," Holleyman continued.
Clarke said that some parts of the IT community haven't responded well
to voluntary calls for more secure practices, and for those businesses,
a more forceful approach might work. He singled out ISPs.
"In general, ISPs don't do anything about security, and they could
make major contributions. The FCC [Federal Communications Commission]
could force them to, but they don't. They issued voluntary guidelines.
"The market isn't forcing ISPs to do anything about security,"
Clarke went on. "Perhaps this is a case where the government could
do something like taking the voluntary guidelines and making them mandatory."
Charney said that for Microsoft's part, education is a big part of increasing
the security of its products. "A lot of the effort we were spending
was on internal training. Programmers were never taught to write secure
Clarke responded that while those are positive steps, the lag time before
more secure products hit the market is a problem.
"It's going to be 2006 before the release of your next operating
system, but then it will be three, four or five years before it's [fully]
deployed. The question is can we wait until 2010 to get secure systems?"
Clarke suggested that if the federal government only bought products
that were secure, it would help drive the market, and force software and
hardware vendors to build in more security more quickly.
One aspect all three panelists said was a legitimate function of government
was law enforcement. "We have to deal with the criminal aspects,"
said Holleyman. "We have to make sure we're tracking down the people
who are committing these crimes."
Charney said that "while good law enforcement is part of the solution,"
he said it shouldn't be the main focus of government, or private-sector,
efforts. "On the Internet, an ounce of prevention is a ton of cure.
Certainly we want general deterrence, but you can do more" with prevention.
Clarke agreed, saying that if he had $1 to spend on information security,
he'd spend 7 cents of it on law enforcement.
Even with all the dour predictions made and complexity of the problems
discussed, it wasn't all doom and gloom. Holleyman pointed to a survey
his organization released recently. "Seventy-eight percent of respondents
said they were doing more than the previous year in regards to information
Keith Ward is the editor in chief of Virtualization Review.