News

The Role of Government in IT Security

Special report, RSA Conference 2004: In a nutshell, panelists in IT governance discussion agree that government should play limited role, but they diverge on approaches.

• By Keith Ward
• 02/26/2004

(San Francisco) How large a role should government play in computer security? That delicate question was discussed before an audience of IT security folks—the types who are famously skeptical of, or even downright hostile to, any suggestion of government interference in their industry.
During a panel discussion at RSA Conference 2004, three executives with experience in information security and government generally agreed that although there's a role for government to play, that role should be limited.

Richard Clarke, former cyber-security advisor to the White House, said that he feels in general that "regulation of cyberspace is a bad idea." He also pointed out, though, that there is regulation already in place like Sarbanes-Oxley and HIPAA.

He then explained the circumstances under which he would like to see oversight. "I don't want regulation unless we have 'market failure'—that is, if market forces don't force people to create secure products; then the government should step in."

Clarke mentioned the scourge of worms and viruses that appeared in 2003 and said "last year looked a lot like market failure." Clarke didn't mention Microsoft products by name, but it would be hard to escape the conclusion that he would have lumped Windows into that category.

That prompted a response from Scott Charney, Microsoft's chief strategist for Trustworthy Computing. He claimed that products weren't made as secure as they could have been in the past because "the markets weren't demanding security, so the vendors weren't building security" into their products. He then mentioned how Microsoft products have gotten more secure over the past several years, but added that he's not sure that security should be a market-driven initiative.

"Throughout the '90s, we as a society delegated public safety and national security to market forces. Well, you can't do it. You couldn't make an economic case for the Cold War, or public safety or defense. You can't be robbed and then have a cop say 'For $50, I'll chase him.' "

Charney believes a market for IT security has developed, but "even if we devote time and attention to the problem, it's going to take time" for the new security efforts to affect change in the industry due to the predominance of legacy systems still in place.

James Lewis, director, public policy program, Center for Strategic and International Studies (third from right), moderated Wednesday's information governance panel, which featured (l. to r.) Robert Holleyman, president and CEO of the Business Software Alliance; Richard Clarke, chairman, Good Harbor Consulting, LLC and former cyber-security advisor to the White House; and Scott Charney, Microsoft's chief strategist for Trustworthy Computing. (Photo: Richard Bambery)

Panelist Robert Holleyman, president and CEO of the Business Software Alliance, weighed in with his opinion that although some government involvement may be necessary, a more important change that needs to occur is buy-in from upper management.

He mentioned the findings of a recent IT security task force that found that "information security isn't just a technical problem, but needs to be in the executive room and in the board room.

"The goal is to establish [methods and procedures] that go beyond best practices and make it part of management," Holleyman continued.

Clarke said that some parts of the IT community haven't responded well to voluntary calls for more secure practices, and for those businesses, a more forceful approach might work. He singled out ISPs.

"In general, ISPs don't do anything about security, and they could make major contributions. The FCC [Federal Communications Commission] could force them to, but they don't. They issued voluntary guidelines.

"The market isn't forcing ISPs to do anything about security," Clarke went on. "Perhaps this is a case where the government could do something like taking the voluntary guidelines and making them mandatory."

Charney said that for Microsoft's part, education is a big part of increasing the security of its products. "A lot of the effort we were spending was on internal training. Programmers were never taught to write secure code."

Clarke responded that while those are positive steps, the lag time before more secure products hit the market is a problem.

"It's going to be 2006 before the release of your next operating system, but then it will be three, four or five years before it's [fully] deployed. The question is can we wait until 2010 to get secure systems?"

Clarke suggested that if the federal government only bought products that were secure, it would help drive the market, and force software and hardware vendors to build in more security more quickly.

One aspect all three panelists said was a legitimate function of government was law enforcement. "We have to deal with the criminal aspects," said Holleyman. "We have to make sure we're tracking down the people who are committing these crimes."

Charney said that "while good law enforcement is part of the solution," he said it shouldn't be the main focus of government, or private-sector, efforts. "On the Internet, an ounce of prevention is a ton of cure. Certainly we want general deterrence, but you can do more" with prevention.

Clarke agreed, saying that if he had $1 to spend on information security, he'd spend 7 cents of it on law enforcement.

Even with all the dour predictions made and complexity of the problems discussed, it wasn't all doom and gloom. Holleyman pointed to a survey his organization released recently. "Seventy-eight percent of respondents said they were doing more than the previous year in regards to information security."