There are many obstacles to improving cybersecurity, principal among them vendors rushing insecure software to market, leaving millions of systems needing patches.
Is it time for the government to step in and regulate IT more? Heck no, said some security people recently contacted by SearchSecurity.com. They said that government intervention wouldn't help cybersecurity and might even hamper it. Leave security solutions to be driven by pressures imposed by the market, they said.
"If you let the market drive the changes, the money will flow to the companies that provide the required security from the ones that do not," said a senior systems administrator from Michigan who requested anonymity.
The marketplace is more agile and better suited to respond to the needs of the fast-moving security landscape. "Regulation is invariably too late, too structured and has too many unintended consequences," said Leslie Van Sickel of the Kansas Department of Social and Rehabilitation Services in Topeka.
Two of those "unintended consequences" include reduced innovation and more expensive software development. Regulations could prevent a programmer from coming up with a unique idea because they would be worrying about compliance, not creativity. Also, if regulations differed from country to country, that would add another level of complexity and expense to software creation.
The federal government has taken a laissez faire approach to improving cybersecurity. "The National Strategy to Secure Cyberspace," released by President Bush, specifically relies on the invisible hand of market forces to encourage more secure products and avoid "government regulation or expand unfunded government mandates to the private sector."
The government realizes that most of the critical IT infrastructure is in private hands. Improving cybersecurity will take a partnership between the public and private sectors.
Market forces, however, do have limits. People like Van Sickel don't necessarily think the government doesn't have a role to play.
"If companies leave themselves open to legal liability from damages, that will take care of the problem soon enough," Van Sickel said.
Extending liability to faulty software does have its pitfalls, said Damien Moriarty, a system administrator with Sydney, Australia-based Emagine International, which provides closed-loop marketing products to telecommunications operators. "We are already seeing the damage of public liability cases in the medical field, with many physicians moving away from high risk fields due to the growing insurance costs," Moriarty said.
Finding even one vendor liable could set a dangerous precedent, and "you would find industry competition reduced substantially over a few years," Moriarty said.
Additionally, the reliance on market forces presupposes that there is a market with healthy competition. For example, Microsoft has a lock on the desktop operating system market. It would be difficult to find alternatives. In other words, it's hard to walk away from Windows. "Bringing market pressure to bear on what is essentially a monopoly just doesn't work," said a system administrator from San Jose, Calif., who declined to be identified.
There comes the time in a technology's history that it does fall into regulation. An historic situation comparable to the Internet is air flight, said Gene Spafford, a computer science professor at Purdue University and director of the school's Center for Education and Research in Information Assurance and Security.
The first major mover of air flight was the military, which poured money into the technology during World War I. After the war, former pilots wished to continue flying, so they found work flying at fairs and festivals, offering flights for 25 cents.
Over time, quarter rides weren't enough to cover expenses, so pilots started taking on passengers and mail. Regulations were imposed at this point to protect people. As the industry grew, so did regulations. Did regulations choke innovation? No one can really say, but air travel has become an extremely safe mode of transportation, Spafford said.
Presently there are elements of cybersecurity, most notably cyberterrorism measures, that are more the domain of the government. "You can't delegate national security to the markets," said Scott Charney, Microsoft's chief security strategist, during his keynote address at the Computer Security Institute's annual Computer Security Conference and Exhibition last month in Chicago.