More Regulation For The Software Industry?

SAN FRANCISCO — UPDATED: Richard Clarke, the former White House cyber security czar, urged the technology industry to adopt regulations or even benchmarks to improve security in their products — or face getting walloped with new regulations from Congress.

Clarke’s comments came today during a panel discussion here at the RSA Security Conference called “To Regulate or Not to Regulate: That is the
Question.” The panel sought to “debate the issue of software liability against
poorly built software and security products.” It also comes at a time when statistics are exploding with new vectors for virus attacks via botnets, spyware and phishing attacks meant to steal personal data.

“Regulation depends on the industry,” said Clarke, who is now the
chairman of Good Harbor Consulting. “After we have a major
incident, there will be much worse regulation than you could get now.”

Clarke, perhaps best known as the cyber security czar in the Clinton and
(the first) George Bush administrations — and who later resigned from the current Bush administration — admitted that he too was opposed to some regulation efforts during his time in government.

But the patchwork of regulations we now have, such as the Gramm-Leach-Bliley
Act of 1999 in the financial services industry, and HIPPA (Health
Insurance Portability and Accountability Act of 1996), overlaps and even confuses how the
information industry builds its software and products to help companies
comply. Some basic benchmarks on security in the software industry itself
would help diffuse the confusion, he added. “There are some things we might
want to regulate. I think cyber security has a problem.”

“Many think this year will be a watershed year in privacy and regulation in
Congress,” said Scott Schnell, an RSA Security official who also moderated
the panel discussion. “Others say if we simply held software companies
accountable for fraud, we wouldn’t have these problems.”

Technology companies already hold themselves accountable, such as with
Service Level Agreements, countered Harris Miller, president of the
Information Technology Association of America, an industry trade
association. “If you start regulating security, you will stifle innovation.
You’ll end up with a “lawyer-driven world” in which you get sued for every
flaw in a software product.

Rick White, the president and CEO of TechNet, an industry trade group
made up of CEOs, said there may be some areas where the industry can
improve security without any oversight from the government. “But I think you
have to be careful” about too much regulation, he added. “The government
isn’t well suited to handle that.”

Panelists cited the example of seat belts in the auto industry: they only
arrived after they were mandated — but also after the U.S. auto industry
saw that Japanese makers were selling more cars with seatbelts included.

The mix of market and regulation efforts eventually forced the automakers
to add more security features, they said. Why not use a similar approach in
the information technology industry — especially the software industry?

Bruce Schneier, founder and CTO of Counterpane Internet Security, argued capitalism has its own ways of forcing the same
effects as regulation.

“I tend to like regulation that says ‘here are the
results.’ I prefer regulation that just assigns responsibility,” he said. “I don’t care
how they solve the problem. I want to make it in their best financial
interest to do so.”

Although he agreed with the argument that regulation would stifle
innovation, Schneier also said the problem in the industry is that the
people who write the software don’t bear the losses for their mistakes.
“That fundamental disconnect has to be rectified.”

Market forces are one way to force this, added Schneier, the author of
best-selling books on security such
as Applied Cryptography. The growth of “Linux has done more for
Microsoft’s security then anything out there,” he asserted.

He also cited the example of ChoicePoint, the Georgia-based credit-check
company that recently disclosed to about 35,000 California residents that their information may have been accessed by criminals posing as legitimate companies in order to gain access to information about consumers. “If those [35,000] residents
can sue ChoicePoint, then the company has more than just a PR problem,” he
added. “You need a mix of liabilities that work. If a CEO believes without a
shadow of a doubt that he’s going to hell if he doesn’t ship secure
products, he has an incentive.”

“Public humiliation would help,” quipped Clarke. “We do have to do
something about the quality of software in the industry.”

Updates to include statement from ChoicePoint

Get the Free Newsletter!

Subscribe to our newsletter.

Subscribe to Daily Tech Insider for top news, trends & analysis

News Around the Web