Can Market Forces Secure the Internet?
So far, industry hasn't succeeded in creating secure software or networks. Is it time for the government to step in?
SAN FRANCISCO -- In a twist of opinion, the man who helped forge the government's plan on cyber security suggests that the IT industry may need some federal intervention in protecting data.
Richard Clarke, chairman of good Harbor Consulting and a former cyber-security czar for the Bush administration, said the security disasters of 2003 made some people wonder whether market forces can solve security problems.
Speaking on a panel at the RSA Security Conference held here this week, Clarke said that he used to believe government regulation of the Internet was a bad idea, that the government should only get involved if there was truly market failure. "Well, maybe market failure looks like 2003," he said.
Fellow panelists Scott Charney, Microsoft's chief trustworthy computing strategist, and Robert Holleyman, president and CEO of the Business Software Alliance, agreed that something's gotta give, but disagreed about whether the government should take the lead.
Moderator James Lewis, director of the technology and public policy program of the Center for Strategies and International Studies, said, "I'm uncomfortable with some networks or infrastructure being left to their own devices." For example, the electrical power grid and telecommunications networks are two vital networks whose failure would be catastrophic.
"You can say, 'This is a vital system, let's go out and regulate it,' and make it far less secure than before," Microsoft's Charney replied.
He said that the business community is experiencing a normal lag time in dealing with network security, but that progress will be made. Throughout the 1990s, he said, vendors didn't worry about making their products secure because their customers didn't care. Because of that lack of interest from the business community, the government made the decision to let the market play the largest role in securing networks.
"So, throughout the 90s, we as a society delegated public safety and national security to market forces. But they're not designed to do it," Charney said. He pointed out that other areas of public safety, such as police and fire protection services, aren't left to the free market but are provided by governments and paid for by taxes.
Historically, Clarke has not advocated the creation of an Internet regulatory commission, but proposed the government fund a project to create secure software from scratch.
"There's no point in requiring security if there's no secure product," Clarke said. "If the US government made it a priority as important as the moon project to somehow figure out how to write software without vulnerabilities, we could do it, then require vital parts of the economy to use it."
Holleyman of the Business Software Alliance said it's the culture that needs to change, not the regulations. If security concerns stay within the technical community, business won't be able to accomplish what it needs to.
"Governance is the hook we're using to try to get the dialog into corporate boardrooms and in front of senior management," he said. "We need government as a partner, and we need to talk about it internationally."
Holleyman warned that heavy-handed regulation could lead to mistakes that will be copied around the world. Instead, he said, the government should use its bully pulpit to build a culture of information security awareness.
The government also could use its buying power, Clarke said. "The Federal government will spend between $55 and $60 billion this year. If it used its procurement power to buy only secure products, it would drive the market." Instead, he said, the government continues to be model of how not to do it.
But it's not so easy to figure out how to build secure networks, Charney said. Enterprises are being inundated with offers for products touting security.
"We need a holistic approach," he said. That includes educated corporate governance, software developers who are trained to write secure code and more money in IT budgets earmarked for security. "There's not one choke point," he said
Regarding government regulation, Charney said business needs to be able to adapt if it'sgoing to make its products more secure. "We need to be really careful that we don't go down a path that will freeze technology in today's state," he said.