WASHINGTON - The cybersecurity of the U.S. is too important to leave to the chance that marketplace incentives will lead to more secure software, a liberal commentator and a cybersecurity analyst argued Monday at the Gartner IT Security Summit.
"Isn't the threat too great to leave it in the hands of the private sector and count on them to do it themselves?" said Bill Press, a liberal commentator on MSNBC and columnist for the Chicago Tribune.
During a panel discussion about the possibility of government creating cybersecurity regulations, Press and Rich Mogull, a research director for Gartner Research, both advocated government taking a more active role. While others on the panel suggested the U.S. government could affect cybersecurity by using its huge purchasing power to influence companies, Press questioned why software vendors aren't sued for selling products with security flaws.
Without laws allowing software vendors to be sued, "you are rewarding people for selling broken products," he added. Instead of software vendors being held responsible for cybersecurity problems, the buyers pay the bill, Press said.
"If I'm a pharmaceutical company, and I put out a bad drug, my (butt) is going to get sued," Press said. "Why no liability (laws) for software manufacturers?"
Others suggested that defining software security in a law would be nearly impossible. Writing software is more of an art than an engineering science, said John Pescatore, vice president and research fellow at Gartner Research. Instead of government regulations, software buyers should demand better products, he said. In all but the desktop market, where Microsoft Corp. dominates, competition over the past couple of years has helped improve software security, Pescatore added.
"If you want to buy crap, the vendors will sell you crap," he added. "You control it with your marketplace."
Fred Barnes, executive editor of the conservative Weekly Standard and cohost of Fox News' Beltway Boys, asked the panel why more cybersecurity legislation hasn't been considered in the U.S. Congress.
"There's a fear of stifling innovation," said Roger Cressey, president of Good Harbor Consulting LLC and former counterterrorism expert at the White House. "Innovation in the software industry is measured in a matter of months, not a matter of years."
Barnes noted that some government and private cybersecurity experts have been warning of the possibility of a "digital Pearl Harbor," a massive attack on U.S. IT assets, for several years. He asked how likely such a scenario was.
The threat cannot be overstated, answered Bob Dix, staff director for the technology and information policy subcommittee of the House Government Reform Committee. "The abilities of the bad guys get better every day," he said.
The U.S. isn't ready for a concerted cyberattack, but the government is headed in the right direction, Cressey said. When Cressey was at the White House, he was concerned about a so-called "swarming attack," in which a cyber attack was coupled with a physical attack.
Cressey predicted national legislation would follow a major cyber outage, and Congress would legislate with "a hammer instead of a scalpel."