The Fight for Corporate Cyber-Rights (Impossible)

Concerns over cyber security have often led to an age-old dispute: the role of government in ensuring the safety of its citizens contrasted with the power of the free market to do the same. Consultants and government officials tended to lean toward the first side in the argument, corporate representatives to the other. From the article:

Panelists discussing who should be responsible for company security breaches that result in identity theft or economic loss to customers were divided on whether government regulation would help improve security.

Former national cybersecurity czar Richard Clarke and renowned cryptographer and computer security expert Bruce Schneier said that companies will not get serious about securing their networks and protecting customer data until they are forced to do so by regulations that impose fines or other penalties for failing to secure their networks.

But Harris Miller, president of the Information Technology Association of America -- whose members include software makers -- and Rick White, president and CEO of TechNet, an association of CEOs, argued that regulation would stifle innovation and wouldn't solve the problems since other regulated industries, like the energy and telecommunications industries, still have issues that regulation hasn't solved.

This argument has been around for as long as I've been interested in the subject (at least half a decade, probably longer). It was epitomized by the discussion surrounding the release of the 2002 National Strategy to Secure Cyberspace. Critics were concerned that the document, which was authoured by Richard Clarke's office, did not impose any kind of requirements upon businesses (those that had been in the draft version had been stripped out). Instead, a compromise was reached: a voluntary clearinghouse, the Protected Critical Infrastructure Information (PCII) would allow corporations to share security related information without concern that sensitive information would be transmitted to competitors or the public. In order to participate in the program, corporations had to agree to abide by government security regulations. Of course, the program has "flopped."

Security breaches are on the rise. The industry run center that tracks security violations gave up trying to aggregrate the numbers last year. Spyware and adware are becoming so proliferant that they have awakened the sleeping giant (Microsoft), who is about to release its own anti-spyware tool. And with incidents like this week's Choicepoint hack, in which thousands of individuals' sensitive information was stolen,
the situation is slowly pushing its way out of geekdom and wonkworld into the mainstream public consciousness.

So then what's at issue? The free marketers argue that industry can reliably protect its customers. Government regulation, they claim, would stifle their ability to create new products because they would be forced to comply with rulesets that would quickly grow stale and overcumbersome. Moreover, the constantly evolving world of computer vulnerabilities would be nearly impossible to manage via a regulation regime. Instead, they say, customer and consumer demand will force companies to stay compliant.

The regulationists, on the other hand, acknowledge their ideas' shortcomings but say that industry won't comply automatically. Essentially, they've had their chance - yet incidents of identity theft on the scale of hundreds of thousands of people still occur. Because the threat thrives on its dispersed nature - since most data can be stolen or computers violated from any one of a number of links in the infrastructure - the responsibility for ensuring that citizens are protected is pushed onto the government. The government, in turn, should provide incentives and punishments for companies that can't produce secure products.

Both sides concern me. Obviously, the free market solution is pretty dysfunctional. In the Choicepoint case, the affected consumers generally had no clue that this company had so much of their personal information stored in its databases. Without that knowledge, how could they pressure Choicepoint to comply? Of course, once the incident occured, it's a different situation. But the point of security is to stop attacks or ensure that they are unsuccessful.

Government regulation has its own problems. Obviously, someone will have to be held responsible for compliance. But that would wither the maturing open source movement, which, in many cases, has produced more reliable alternatives than its commercial counterparts. Small software houses would similarly suffer. Finally, the added costs both to consumer price and development time could, indeed, limit American business. Why would Microsoft release a new version of Outlook if they could be held responsible 3 years down the road when some anonymous hacker uncovers a previously unconsidered exploit?

Some have suggested that we should instead move to a process model, similar to the ISO models software uses (or the CE model for electric appliances). Essentially, in order to be 'certified,' the software producer would have to show due dilligence in their software security process (or data collection or archival process, or whatever) that they are taking all reasonable steps to ensure protection. Their products or services could then be branded with the logo, like the CE in a circle logo you'll find on anything electrical. The brand's integrity will rely on the regime's ability to ferret out problems before they occur, and force corporations to move quickly once a vulnerability is exploited. Consumers would, eventually, learn to trust the brand until every product or service bears the label.