Information Technology Association of America (ITAA) President Harris Miller joins fellow security luminaries Richard Clarke, Bruce Schneier, Scott Schnell and Rick White at the RSA Security conference in San Francisco next week for a debate on whether more regulation is needed to bolster cybersecurity.
The panel discussion is Wednesday from 8 to 8:45 a.m. in the Moscone Center.
As president, Miller directs day-to-day operations for the ITAA, which represents more than 350 of America's leading tech companies. In this Q&A, he offers a glimpse of what he'll bring to the discussion table, and addresses the ongoing controversy over his support for IT outsourcing.
Do you think more regulation is the answer to today's security problems?
Miller:More government regulation and more liability in the system won't solve the problems we face. It's just a barrier to innovation. [The ITAA] strongly opposes more regulation and liability as way to increase cybersecurity. Customer demand has really driven changes in how security is approached. More and more enterprises rely on the Internet to conduct business. That means more customer demand for security over the Internet. That's a more effective driver for change than more regulation and liability could ever be.
Can you give examples of how customer demand has led to progress?
Miller:If you go back a year, no consumer-based provider offered free antivirus, antispam or antispyware. Now just about everyone does. It's become a necessary offering for them to be taken seriously. Then there are the cybersecurity updates. Three to four years ago if you invested in AV, you had to go out and get the updates; to take proactive steps. Then firms figured out that people weren't doing it that often and that their PCs were more and more open to attack. Now you have automatic online updates. I'm sure Microsoft would like to have fewer vulnerabilities, but they're a lot more proactive than they used to be. Now they send out the patches and you just have to click yes to download. There's still a long way to go. Many security problems are still people-related. Regulation isn't going to help you if people are giving their passwords away and writing them on sticky notes. People still don't understand how the weakest link can damage the whole chain.
You've taken flak in the IT community for your stance on outsourcing. Has your view changed any?
Miller:No. You can have great security in Bangladesh and lousy security in Boston or vice versa. A lot of security threats are internal. That's not impacted one way or another by whether work is done inside or outside of the building. You have to practice due diligence when you turn over some part of your business to an outside company. You have to review their security procedures. That can be complicated.
Miller:You can outsource to someone across the street you've known for 20 years, and that's easier. It's tougher with someone from another country. But that doesn't mean the company abroad isn't better at security than your friend across the street. I've visited companies in India and found them to be ahead of many American companies on their security procedures. One place didn't allow cell phones in the building. Cell phones are one way to send sensitive information back and forth. I saw one company that did rigorous searching to make sure people weren't stealing laptops from the building. There was tougher policy enforcement, strict enforcement of the Web sites you can browse in the office, and so on. That's not to say they're perfect. I'm not saying that international companies are better at security than American companies. My point is that companies must be able to look at outside organizations if they can provide security that better meets the needs of the enterprise.
Do you expect this to come up at RSA?
Miller: Sure. Bruce Schneier has been very vocal saying that the industry I represent -- which he is part of -- gets away with murder because there isn't enough liability. I expect tough questions from the audience as well. There will obviously be a lot of people that are real cybersecurity advocates who believe the marketplace can't handle security without more government regulation and liability.
While you're against more regulation, you have said the government must do more. Explain.
Miller:The government could be spending more on cybersecurity research and development. The President's budget does better, but the bad guys are spending more time looking for weaknesses. We need to find more ways to protect systems against them. We also need to invest more in educating youngsters on cybersecurity. Kids who spread worms and viruses don't see the human impact; how their pranks affect people. We need to teach them it's not okay to create and propagate worms and send out inappropriate material, just like we teach kids that it's not okay to steal candy or beat the next door neighbor's cat. The government can also be more of a bully pulpit; more of a cheerleader for better cybersecurity. One big improvement would be for the Department of Homeland Security to turn the cybersecurity czar into an assistant secretary position.