WASHINGTON - The cybersecurity of the U.S. is too important to leave to the chance that marketplace incentives will lead to more secure software, a liberal commentator and a cybersecurity analyst argued Monday at the Gartner IT Security Summit.
"Isn't the threat too great to leave it in the hands of the private sector and count on them to do it themselves?" said Bill Press, a liberal commentator on MSNBC and columnist for the Chicago Tribune.
During a panel discussion about the possibility of government creating cybersecurity regulations, Press and Rich Mogull, a research director for Gartner Research, both advocated government taking a more active role. While others on the panel suggested the U.S. government could affect cybersecurity by using its huge purchasing power to influence companies, Press questioned why software vendors aren't sued for selling products with security flaws.
Without laws allowing software vendors to be sued, "you are rewarding people for selling broken products," he added. Instead of software vendors being held responsible for cybersecurity problems, the buyers pay the bill, Press said.
"If I'm a pharmaceutical company, and I put out a bad drug, my (butt) is going to get sued," Press said. "Why no liability (laws) for software manufacturers?"
Others suggested that defining software security in a law would be nearly impossible. Writing software is more of an art than an engineering science, said John Pescatore, vice president and research fellow at Gartner Research. Instead of government regulations, software buyers should demand better products, he said. In all but the desktop market, where Microsoft Corp. dominates, competition over the past couple of years has helped improve software security, Pescatore added.
"If you want to buy crap, the vendors will sell you crap," he added. "You control it with your marketplace."
Fred Barnes, executive editor of the conservative Weekly Standard and cohost of Fox News' Beltway Boys, asked the panel why more cybersecurity legislation hasn't been considered in the U.S. Congress.
"There's a fear of stifling innovation," said Roger Cressey, president of Good Harbor Consulting LLC and former counterterrorism expert at the White House. "Innovation in the software industry is measured in a matter of months, not a matter of years."
Barnes noted that some government and private cybersecurity experts have been warning of the possibility of a "digital Pearl Harbor," a massive attack on U.S. IT assets, for several years. He asked how likely such a scenario was.
The threat cannot be overstated, answered Bob Dix, staff director for the technology and information policy subcommittee of the House Government Reform Committee. "The abilities of the bad guys get better every day," he said.
The U.S. isn't ready for a concerted cyberattack, but the government is headed in the right direction, Cressey said. When Cressey was at the White House, he was concerned about a so-called "swarming attack," in which a cyber attack was coupled with a physical attack.
Cressey predicted national legislation would follow a major cyber outage, and Congress would legislate with "a hammer instead of a scalpel."
"If we ever truly have a major cyber event ... then you're going to see Congress legislate," Cressey said. "They will legislate because of a public outcry. It will be bad legislation."
Gartner's Pescatore predicted that legislation focused on protecting critical infrastructure would eventually be passed. "We should all be willing to pay more for electricity and for Internet access," he said.
But Dix, from the House Government Reform Committee, said he hopes legislation will not be necessary. His subcommittee's chairman Adam Putnam, a Florida Republican, floated a draft bill in late 2003 that would have required public companies to report their cybersecurity efforts to the U.S. Securities and Exchange Commission. However, Dix said Monday he hopes the subcommittee's efforts to raise awareness about cybersecurity will get company chief executives to take the issue seriously.
But Press suggested that the software industry should be proactive and work with Congress now to pass legislation the industry can live with.
Press questioned whether software vendors would build in strong security mechanisms without a government prod. "I don't think you guys are living in the real world, to be blunt," he said to panelists advocating a marketplace approach. "We have a Clean Air Act because (manufacturing) plants aren't going to clean up the air on their own."