Should the Government Regulate Internet Security?

Both the high-tech industry and the Bush administration have opposed government regulation of the Internet on the grounds that it would burden businesses and hinder technological innovation.

But after 2003— which all acknowledge was the worst year ever for worms, viruses and security breaches that cost billions of dollars in lost productivity— some question whether the free market is capable of producing a safe and secure Internet.

At a panel Wednesday at the RSA Security Conference in San Francisco, Calif., speakers representing both business and government stopped short of endorsing an Internet regulatory commission that would order better security. But they acknowledge that certain industries like banking are getting the U.S. Congress to pass regulations anyway despite strong anti-regulation sentiment in both Washington, D.C., and Silicon Valley.

“Market failure was our escape hatch,” said Richard Clarke, former cyber security advisor to President Bush. “But 2003 was a disaster, and there’s no reason to think 2004 is going to get any better. Maybe market failure looks like 2003.”

Scott Charney, Microsoft Corp.’s Chief Trustworthy Computing Strategist, said the current problems are the result of delegating responsibility for security to the private sector throughout the 1990s combined with the fallout from the terrorist attacks of Sept. 11, 2001. He said the products most people use today were built “when the threat model was completely different” and that it will take time for the market to work. He suggested government provide more funding for research and development and offer incentives to make security better.

Banks can tell Microsoft to develop secure software, he said, “but developers are not taught to write secure code. Even today you have people coming out of school with masters and Ph.D.s in computer science who don’t know what defense in depth is. You must look at the whole software lifecycle. There’s not one chokepoint.”

Clarke suggested that the government make secure software “a priority as important as the Moon project and the Manhattan project” and “require parts of the economy to use it.” He also said the government has failed so far to use the power of its own procurement, which ran $55 billion to $60 billion last year, to force technology products to become better.

However, in an earlier keynote, retired Air Force General John Gordon, who meets almost daily on Homeland Security with President Bush, said industry must do better too. Government can analyze cyber attacks as part of long-range trends, fund research and development, and raise awareness of security, Gordon said.

Yet Gordon is still unable to figure out how to set up encryption on his own home WiFi network, despite “scouring the documentation” and spending hours on the phone with tech support. Also, he said, “it can’t be beyond our ability to distribute software with a reduced set of vulnerabilities.”

Robert Holleyman, president of the Business Software Alliance, an industry trade group, said C-level executives need to become well-versed in information technology and understand the importance of making their own infrastructures secure.

Clarke also said he doesn’t worry about any consequences of sharing information on vulnerabilities, for which the Department of Homeland Security last week began providing a legal safe harbor. “The bad guys already know about the vulnerabilities,” Clarke said. “The only ones who don’t know are the CEOs and the government.”

Also on Wednesday, organizers of The RSA Security Conference released their second annual Internet Insecurity Index, which showed no improvement over 2003. Some areas— government, information security industry and Internet crime and fraud— declined. The conference runs through Friday, and RSA expects 10,000 people to attend.