During a recent panel discussion on the subject of government regulation of the IT security process, security commentator Bruce Schneier made the point that users must vociferously demand a level of security from those firms that create the products we use to help keep our systems safe. He and his fellow speakers were voicing their opinions at last month’s RSA Security conference in San Francisco.
Schneier’s seemingly innocent point was predicated on his belief that security vendors are driven primarily by profit, and will not put a whole lot of effort into any process that is not directly related to that pursuit. At the end of the day, these firms will undertake such activities only when they are demanded of them — by government, by partners or by customers.
If corporate users, beset by the constant bombardment of security threats, want these vendors to do what it takes to truly solve the problems and headaches that are keeping them up at night, Schneier opined, they have to clearly state their demands and basically kick and scream until the vendors have no choice but to act on their desires. Otherwise, industry vendors will ultimately do only what is required to ensure that their revenues are at a level that keeps their shareholders and board members content.
However, voicing their problems, Schneier intoned, isn’t as easy to do as it might seem. Such an overarching act can’t be carried out until customers can coordinate their efforts into a single set of requests. In other words, deciding what should be demanded is a step that hasn’t yet been completed. Another point the panel discussed that touched on an element that is potentially restricting the robustness of security solutions was that of the extent to which governments should intervene in the process of secure public networks, most notably the Internet.
It’s conceivable that governments could pay a lot more attention to the network security picture — potentially by bringing in legislation that would require industry players such as ISPs and law enforcement entities to make sure breaches are either less apt to happen or that the perpetrators of cybercrimes pay much stiffer prices than is currently the case.
This takes the security regulation debate into the realm of party politics. Should the state take a highly active or a laissez faire stance on the matter? Like all social questions that present these two approaches as options, convincing arguments can be made for each.
In general, the more a government involves itself in the policing of the Internet, the more safe it should conceivably be. However, with such intervention, it’s argued by some that the less open the Internet becomes, the less freedom developers have to help it live up to its potential as a communications medium.
As is also the case with similar political issues, the realistic situation that has grown up around IT security, and which will continue to exist, is one of compromise. Whether left-leaning or a right-leaning governments holds power in western countries, it seems clear that the state will play a limited though fairly active role in the security picture. Neither side will see this as an adequate approach. Observers can therefore expect the debate to continue for quite some time.