Cybersecurity: Too important to leave in private hands?

The cybersecurity of the U.S. is too important to leave to the chance that marketplace incentives will lead to more secure software, a liberal commentator and a cybersecurity analyst argued Monday at the Gartner IT Security Summit.

“Isn’t the threat too great to leave it in the hands of the private sector and count on them to do it themselves?” said Bill Press, a liberal commentator on MSNBC and columnist for the Chicago Tribune.

During a panel discussion about the possibility of government creating cybersecurity regulations, Press and Rich Mogull, a research director for Gartner Research, both advocated government taking a more active role. While others on the panel suggested the U.S. government could affect cybersecurity by using its huge purchasing power to influence companies, Press questioned why software vendors aren’t sued for selling products with security flaws.

Without laws allowing software vendors to be sued, “you are rewarding people for selling broken products,” he added. Instead of software vendors being held responsible for cybersecurity problems, the buyers pay the bill, Press said.

“If I’m a pharmaceutical company, and I put out a bad drug, my (butt) is going to get sued,” Press said. “Why no liability (laws) for software manufacturers?”

Others suggested that defining software security in a law would be nearly impossible. Writing software is more of an art than an engineering science, said John Pescatore, vice-president and research fellow at Gartner Research. Instead of government regulations, software buyers should demand better products, he said. In all but the desktop market, where Microsoft Corp. dominates, competition over the past couple of years has helped improve software security, Pescatore added.

“If you want to buy crap, the vendors will sell you crap,” he added. “You control it with your marketplace.”

Fred Barnes, executive editor of the conservative Weekly Standard and co-host of Fox News’ Beltway Boys, asked the panel why more cybersecurity legislation hasn’t been considered in the U.S. Congress.

“There’s a fear of stifling innovation,” said Roger Cressey, president of Good Harbor Consulting LLC and former counter-terrorism expert at the White House. “Innovation in the software industry is measured in a matter of months, not a matter of years.”

Barnes noted that some government and private cybersecurity experts have been warning of the possibility of a “digital Pearl Harbor,” a massive attack on U.S. IT assets, for several years. He asked how likely such a scenario was.

The threat cannot be overstated, answered Bob Dix, staff director for the technology and information policy subcommittee of the House Government Reform Committee. “The abilities of the bad guys get better every day,” he said.

The U.S. isn’t ready for a concerted cyberattack, but the government is headed in the right direction, Cressey said. When Cressey was at the White House, he was concerned about a so-called “swarming attack,” in which a cyber attack was coupled with a physical attack.

Cressey predicted national legislation would follow a major cyber outage, and Congress would legislate with “a hammer instead of a scalpel.”

“If we ever truly have a major cyber event … then you’re going to see Congress legislate,” Cressey said. “They will legislate because of a public outcry. It will be bad legislation.”

Gartner’s Pescatore predicted that legislation focused on protecting critical infrastructure would eventually be passed. “We should all be willing to pay more for electricity and for Internet access,” he said.

But Dix, from the House Government Reform Committee, said he hopes legislation will not be necessary. His subcommittee’s chairman Adam Putnam, a Florida Republican, floated a draft bill in late 2003 that would have required public companies to report their cybersecurity efforts to the U.S. Securities and Exchange Commission. However, Dix said Monday he hopes the subcommittee’s efforts to raise awareness about cybersecurity will get company chief executives to take the issue seriously.

But Press suggested that the software industry should be proactive and work with Congress now to pass legislation the industry can live with.

Press questioned whether software vendors would build in strong security mechanisms without a government prod. “I don’t think you guys are living in the real world, to be blunt,” he said to panelists advocating a marketplace approach. “We have a Clean Air Act because (manufacturing) plants aren’t going to clean up the air on their own.”

Would you recommend this article?

Share

Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.


Jim Love, Chief Content Officer, IT World Canada

Featured Download

Featured Articles

Cybersecurity in 2024: Priorities and challenges for Canadian organizations 

By Derek Manky As predictions for 2024 point to the continued expansion...

Survey shows generative AI is a top priority for Canadian corporate leaders.

Leaders are devoting significant budget to generative AI for 2024 Canadian corporate...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now