SAN FRANCISCO -- Industry leaders still want consumers, not Congress, to push for more secure software development. This at a time when users are crying louder than ever that they can't keep up with the proliferation of patches issued to fix faulty software.
At least two panels at last week's RSA Conference focused on whether this is the year government lays down the law on privacy, security and quality software development to better protect all consumers and companies at risk. Or does a free market need more time to improve itself? The consensus was that customers should take a harder line, boycotting bad products or companies known to be insecure. And that those who develop inferior products should be held more liable.
"The people who write the software don't bear the costs of their mistakes," said cryptographer Bruce Schneier, CTO of managed security services provider Counterpane Inc., who also reminded everyone "companies are not charities. They don't do things out of the kindness of their hearts."
Former national cybersecurity czar Richard Clarke, who now chairs Good Harbor Consultancy, suggested software companies be forced to disclose how they're conforming to standards that help secure their products, and then let experts vet those claims. "The marketplace works better when we know what's going on," he said.
Clarke also maintained industry only responds when threatened with regulation and that government must follow through with penalties for violators if it comes to that. Meantime, Rick White, president and CEO of TechNet, said officials need to ramp up if regulation is inevitable. "There may be some areas where regulation can move technology in the right direction. But government's just not prepared to do that now." He, like ITAA President Harris Miller, also warned that too many resources spent on compliance could stymie innovation. Said Miller of regulation: "It often becomes the enemy of innovation. So we need to be careful about that."
A day later, a group of CSOs admitted laws like Gramm-Leach-Bliley, HIPAA and Sarbanes Oxley indeed are forcing companies to shore up their network security and that rather than be loathed, security professionals can leverage them to pass security initiatives. "You can use it as a way to get things done that you haven't been able to get done before," advised Dennis Devlin, VP and CSO of The Thomson Corp.
Clarke also warned that if businesses didn't do right by their customers, they may lose what autonomy from government oversight they now possess. "After we have a major incident," he said, "there will be much worse regulation than you can imagine."