Will companies improve security voluntarily?

Government IT regulation sparks fierce debate

Tempers fray at RSA Conference as experts discuss government role in security

Written by Iain Thomson at the RSA Conference in San Francisco

vnunet.com, 17 Feb 2005

A series of heated exchanges at the RSA Conference left tempers frayed yesterday as experts debated the pros and cons of governments trying to regulate IT security.

Bruce Schneier, a cryptographer and IT security expert, Richard Clarke, former White House advisor on cyber-security, Harris Miller, president of the IT Association of America, and Rick White, president of TechNet, debated the role of regulation but found little common ground.

"We have a problem," said Clarke. "I opposed regulation in both the Bush and Clinton administrations. We now have some regulation and most of it does not work well."

He went on to state that, if he were grading the Bush government on its regulation progress, he would give it an 'F'.

Schneier, on the other hand, proved a fan of regulation, maintaining that it was the only way to get companies to write more secure code.

"What regulation does is change the trade-offs a company makes," he said. "The capitalist incentives are not in line with the results we want as a society. If we make it in a company's interests to make secure products, it will."

Schneier explained that companies would always choose to place less emphasis on security if it meant cutting into profits, and that the only way to reverse this is to make the penalties for insecure code greater than the cost savings of releasing insecure code.

But speaking for the industry, Miller strongly opposed further regulation. "Our industry is all about innovation and the concern we have is that regulation can be the enemy of innovation," he claimed.

"Even heavily regulated industries like the auto sector have problems. There are already plenty of laws on the books to deal with this."

The panellists found little to agree on, with the discussion turning heated on more than one occasion. Clarke finished his arguments with a warning on the consequences of inaction.

"Industries say that they don't want to be regulated; there's a surprise," he said. "Industry only responds when you threaten it with regulation. After a major incident there will be worse regulation than you have now."