WASHINGTON - A cybersecurity task force convened by a U.S. House subcommittee chairman released a series of recommendations this week, but some of the results created rifts between IT vendors and security advocates, including a request to allow IT purchasers to band together to dictate security standards to vendors.
Among the recommendations of the Corporate Information Security Working Group (CISWG), released this week by Representative Adam Putnam, was a proposal to change U.S. antitrust law to allow IT industry groups to agree on security specifications for software and hardware they purchase. The Information Technology Association of America (ITAA), which participated in CISWG, objected to that proposal, saying it amounts to a call for group boycotts.
"The proposal is that a larger group (of customers) would be able to form what amounts to a buyer's cartel to enforce a security standard the buyers' group endorsed," said Joe Tasker, senior vice president for government affairs at ITAA. "I don't see evidence that the marketplace has failed here."
Tasker objected to the antitrust exemption because a buyers' group could hamper innovation in IT products by having customers, not vendors, setting the standards. Buyers' cartels are illegal under antitrust law, and most enterprises haven't demanded security-certified IT products, he added.
"If the buyer sets the standard, who knows if they're right?" Tasker said. "That's a prescription for a go-slow approach among vendors. (A buyers' group) changes the marketplace, and it's a killer on innovation."
In October, Putnam, a Florida Republican and chairman of the House Government Reform Committee's Subcommittee on Technology, Information Policy, Intergovernmental Relations and the Census, floated a draft copy of legislation that would have required publicly traded companies to report their cybersecurity efforts to the U.S. Securities and Exchange Commission. Putnam decided not to introduce the Corporate Information Security Accountability Act of 2003 after loud objections from IT vendors, but he called on vendors and buyers to come up with alternatives to federal legislation.
Putnam has already begun drafting legislation on one CISWG recommendation to identify information security as a component that must be evaluated in the IT investment decision-making and strategic planning for federal agencies, he said in a statement.
"It is important to note that a number of the recommendations require continued work, and form the foundation for the follow up work that will proceed," he added in his statement. "Additionally, while it was the effort of CISWG to achieve consensus on this set of recommendations, there was not unanimity on all of the recommendations, and some members expressed concern that there were a number of recommendations that were not fully mature and required further discussion and debate."
The resulting CISWG, with about 25 organizations participating, broke into five subgroups that each worked on recommendations. The procurement subgroup, of which Tasker was a member, came up with the proposal for buying groups. But that proposal would raise vendor concerns over customer groups restraining trade and engaging in anticompetitive behavior, Tasker said. "There was no consensus on that one," he added. "Some of these things are clearly work-in-progress items."