SAN FRANCISCO -- UPDATED: Richard Clarke, the former White House cyber security czar, urged the technology industry to adopt regulations or even benchmarks to improve security in their products -- or face getting walloped with new regulations from Congress.
Clarke's comments came today during a panel discussion here at the RSA Security Conference called "To Regulate or Not to Regulate: That is the Question." The panel sought to "debate the issue of software liability against poorly built software and security products." It also comes at a time when statistics are exploding with new vectors for virus attacks via botnets, spyware and phishing attacks meant to steal personal data.
"Regulation depends on the industry," said Clarke, who is now the chairman of Good Harbor Consulting. "After we have a major incident, there will be much worse regulation than you could get now."
Clarke, perhaps best known as the cyber security czar in the Clinton and (the first) George Bush administrations -- and who later resigned from the current Bush administration -- admitted that he too was opposed to some regulation efforts during his time in government.
But the patchwork of regulations we now have, such as the Gramm-Leach-Bliley Act of 1999 in the financial services industry, and HIPPA (Health Insurance Portability and Accountability Act of 1996), overlaps and even confuses how the information industry builds its software and products to help companies comply. Some basic benchmarks on security in the software industry itself would help diffuse the confusion, he added. "There are some things we might want to regulate. I think cyber security has a problem."
"Many think this year will be a watershed year in privacy and regulation in Congress," said Scott Schnell, an RSA Security official who also moderated the panel discussion. "Others say if we simply held software companies accountable for fraud, we wouldn't have these problems."
Technology companies already hold themselves accountable, such as with Service Level Agreements, countered Harris Miller, president of the Information Technology Association of America, an industry trade association. "If you start regulating security, you will stifle innovation. You'll end up with a "lawyer-driven world" in which you get sued for every flaw in a software product.
Rick White, the president and CEO of TechNet, an industry trade group made up of CEOs, said there may be some areas where the industry can improve security without any oversight from the government. "But I think you have to be careful" about too much regulation, he added. "The government isn't well suited to handle that."
Panelists cited the example of seat belts in the auto industry: they only arrived after they were mandated -- but also after the U.S. auto industry saw that Japanese makers were selling more cars with seatbelts included.
The mix of market and regulation efforts eventually forced the automakers to add more security features, they said. Why not use a similar approach in the information technology industry -- especially the software industry?
Bruce Schneier, founder and CTO of Counterpane Internet Security, argued capitalism has its own ways of forcing the same effects as regulation.
"I tend to like regulation that says 'here are the results.' I prefer regulation that just assigns responsibility," he said. "I don't care how they solve the problem. I want to make it in their best financial interest to do so."
Although he agreed with the argument that regulation would stifle innovation, Schneier also said the problem in the industry is that the people who write the software don't bear the losses for their mistakes. "That fundamental disconnect has to be rectified."
Market forces are one way to force this, added Schneier, the author of best-selling books on security such as Applied Cryptography. The growth of "Linux has done more for Microsoft's security then anything out there," he asserted.
He also cited the example of ChoicePoint, the Georgia-based credit-check company that recently disclosed to about 35,000 California residents that their information may have been accessed by criminals posing as legitimate companies in order to gain access to information about consumers. "If those [35,000] residents can sue ChoicePoint, then the company has more than just a PR problem," he added. "You need a mix of liabilities that work. If a CEO believes without a shadow of a doubt that he's going to hell if he doesn't ship secure products, he has an incentive."
"Public humiliation would help," quipped Clarke. "We do have to do something about the quality of software in the industry."
Updates to include statement from ChoicePoint