IT-security. For some time now

IT-security. For some time now at conferences and in articles, I have tentatively broached the idea that a higher level of IT-security will only result, if in particular companies get strong economic incentives to improve their IT-security. The IT-industry has not surprisingly taken the view point that market incentives are strong enough and that role of government should be to educate and inform about IT-security not to regulate. I don’t buy that argument. Event though I don’t believe that government should mandate different levels of IT-security in techno-specific legislation, I do believe that traditional tort or compensation law has a very important role to play. Companies both software vendors and users should be liable for the damages that insufficient IT-security cause towards others.

Interestingly, it seems that there is a trend starting among IT-security experts to share similar views. Listen to what Bruce Schneier has to say in his 15 October 2002 edition of his Crypto-Gram newsletter:

Security is a commons. Like air and water and radio spectrum, any individual’s use of it affects us all. The way to prevent people from abusing a commons is to regulate it. Companies didn’t stop dumping toxic wastes into rivers because the government asked them nicely. Companies stopped because the government made it illegal to do so.

In his essay on the topic, Marcus Ranum pointed out that consensus doesn’t work in security design. Consensus security results in some good decisions, but mostly bad ones. By itself consensus isn’t harmful; it is the compromises that are almost always harmful, because the more parties you have in the discussion, the more interests there are that conflict with security. Consensus doesn’t work because the one crucial party in these negotiations — the attackers — aren’t sitting around the negotiating table with everyone else. “And the hackers don’t negotiate anyhow. In other words, it doesn’t matter if you achieve consensus…; whether it works or not is subject to a different set of rules, ones over which your wishes exercise zero control.”

If the U.S. government wants something done, they should pass a law. That’s what governments do. It’s like pollution; don’t mandate specific technologies, legislate results. Make companies liable for insecurities, and you’ll be surprised how quickly things get more secure. Leave the feel-good PR activities to the various industry trade organizations; that’s what they’re supposed to do.

Leave a Reply

Your email address will not be published. Required fields are marked *