Cybersecurity: A Job for the Feds?

WASHINGTON -- The nation's cybersecurity is too important to leave to the free market, gambling that competition and demand will produce secure software, both a liberal commentator and a cybersecurity analyst argued Monday at the Gartner IT Security Summit here.

"Isn't the threat too great to leave it in the hands of the private sector and count on them to do it themselves?" said Bill Press, a liberal commentator on MSNBC and columnist for The Chicago Tribune.

Both Press and Rich Mogull, a research director for Gartner Research, advocated government taking a more active role in cybersecurity standards and efforts. They spoke at a panel discussion about the possibility of government creating cybersecurity regulations.

Other panelists suggested the federal government could affect cybersecurity by using its huge purchasing power to influence companies. But Press asked why software vendors aren't sued for selling products with security flaws.

Unless software vendors are liable for flawed products, "you are rewarding people for selling broken products," Press added. Currently, the buyers pay the bill, he added.

"If I'm a pharmaceutical company, and I put out a bad drug, my [butt] is going to get sued," Press said. "Why no liability (laws) for software manufacturers?"

Market Effort Defended

Others suggested that addressing software security by law is nearly impossible. Writing software is more an art than an engineering science, said John Pescatore, vice president and research fellow at Gartner Research. Software buyers should demand better products rather than government regulation, he suggested. In all but the desktop market, where Microsoft dominates, recent competition has helped improve software security, Pescatore noted.

"If you want to buy crap, the vendors will sell you crap," he added. "You control it with your marketplace."

Fred Barnes, executive editor of the conservative Weekly Standard and cohost of Fox News' Beltway Boys, asked the panel why Congress hasn't considered more cybersecurity legislation.

"There's a fear of stifling innovation," said Roger Cressey, president of Good Harbor Consulting and a former White House counterterrorism expert. "Innovation in the software industry is measured in a matter of months, not a matter of years."

Barnes noted that some government and private cybersecurity experts have warned of a "digital Pearl Harbor," a massive attack on U.S. technology assets. He asked the panel likely the scenario is.

The threat cannot be overstated, answered Bob Dix, staff director for the technology and information policy subcommittee of the House Government Reform Committee. "The abilities of the bad guys get better every day," he said.

The U.S. isn't ready for a concerted cyberattack, but the government is headed in the right direction, Cressey said. When Cressey was at the White House, he was concerned about a so-called "swarming attack," in which a cyber attack was coupled with a physical attack.

Eventual Laws Expected

Cressey predicted national legislation will follow a major cyber outage, and Congress will then legislate with "a hammer instead of a scalpel."

"If we ever truly have a major cyber event ... then you're going to see Congress legislate," Cressey said. "They will legislate because of a public outcry. It will be bad legislation."

Gartner's Pescatore predicted legislation to protect critical infrastructure will eventually pass.

"We should all be willing to pay more for electricity and for Internet access," Pescatore said.

But Dix, from the House Government Reform Committee, said he hopes legislation will not be necessary. His subcommittee's chairman Adam Putnam, a Florida Republican, in 2003 proposed requiring public companies to report their cybersecurity efforts to the Securities and Exchange Commission. However, Dix said Monday he hopes the subcommittee's interest in cybersecurity will get tech CEOs to take the issue seriously.

But Press suggested the software industry should work with Congress now to pass legislation. He questioned whether software vendors would get serious about security without a government prod.

"I don't think you guys are living in the real world, to be blunt," he said to panelists that advocated a marketplace approach. "We have a Clean Air Act because (manufacturing) plants aren't going to clean up the air on their own."

Subscribe to the Security Watch Newsletter

Comments