RSA Panelists Clash in Cybersecurity Regulation Debate

SAN FRANCISCO, CA--To regulate or not to regulate; that was the question for a panel of IT industry notables at last week's RSA security conference in San Francisco. In an on-stage debate that sparked some heated exchanges, the panel--which included former White House cybersecurity czar Richard Clarke, Information Technology Association of America (ITAA) president Harris Miller, TechNet president Rick White, and IT security expert and author Bruce Schneier--took on the issue of software liability and whether there should be more government regulation of the private sector, including the technology industry.

They arrived at no consensus.

"Many think this year will be a watershed year in privacy and regulation in Congress," observed Scott Schnell, the RSA Security VP who also moderated the panel. "Others say that if we simply held software companies accountable for fraud, we wouldn't have these problems."

Clarke declared that better security would come only with government regulation--or at least the threat of it. Clarke, now chair of Good Harbor Consulting, opposed regulating the IT industry when he served in both the Clinton and second Bush administrations. But he has reversed his position. "Industry only responds when you threaten it with regulation," he said. "After a major incident there will be worse regulation than you have now."

Arlington, VA-based Good Harbor Consulting LLC, advises companies on strategic planning, product and business strategy evaluation, partnership opportunities, and strategic security risk assessment, according to the firm's Web site. Clarke founded the firm last year with John Tritak and Roger Cressey, both of whom served with Clarke on the President's Critical Infrastructure Protection Board.

Both Miller and White argued against regulation. Miller called it "the enemy of innovation." "Even heavily regulated industries like the auto sector have problems," he said. "There are already plenty of laws on the books to deal with this."

With more than 500 member companies, the ITAA is the leading trade association of the U.S. information technology industry. Through its advocacy efforts, the group "helps to foster an environment which is conducive to the health, prosperity, and competitive nature of the information technology industry," according to its Web site. The ITAA is based in Arlington.

Though White, who is a former U.S. congressman, admitted that he would have to give the industry a grade of B-minus on its security report card for now, he maintained that the industry is making progress under existing legislation.

TechNet is a Silicon Valley-based lobbying group that bills itself as "the leading public policy and political service organization for the Innovation Economy." TechNet's membership consists of 150 high-tech executives who organized to "create a dialogue between the technology community and government."

Schneier declared that regulation was the only thing that would compel software companies to write more secure code. "Regulation changes the trade-offs a company makes," he said. "The capitalist incentives are not in line with the results we want as a society. If we make it in a company's best interests to make secure products, it will."

Schneier's company, Counterpane Internet Security, is a Mountain View, CA-based managed security services provider. Schneier has written six books, including "Beyond Fear: Thinking Sensibly about Security in an Uncertain World" (Copernicus Books, September 2003) and "Applied Cryptography" (John Wiley & Sons, 1996).

Schneier observed that the issue might, indeed, come down to a choice between innovation and security. But what he called a "fundamental economic disconnect" between the people who write software and the consequences of their mistakes needs to be rectified.

The 14th annual RSA security conference drew more than 13,000 attendees, according to event organizer's final tally. It was held at the Moscone Center in San Francisco.

Upcoming Events