Clashing over cybersecurity

SAN FRANCISCO — Sharp exchanges among information technology industry leaders and critics during a discussion at the RSA Security Conference suggest that consensus on regulating cybersecurity will be difficult to reach.

The closest opponents came to agreeing was on requiring software companies to disclose the degree to which they follow industry best practices for writing secure software. "The market works better when it's informed," said Richard Clarke, the former U.S. cybersecurity czar who is now chairman of Good Harbor Consulting.

Arguing for regulation of the IT industry, Clarke said caustically, "Industry doesn't want to be regulated. There's a surprise. Industry only responds when you threaten regulation."

Harris Miller, president of the Information Technology Association of America, said the IT industry opposes regulation for a number of reasons, which he said include its stifling effect on innovation. Miller also said enough legislation already exists to regulate cybersecurity and that industry is making progress.

ITAA officials will release a report today on industry's cybersecurity progress. Miller said he would give industry a B-minus, with the exception of the telecommunications and financial services industries. But the federal government, he added, hasn't exactly been a good cybersecurity role model.

Rick White, a former U.S. congressman who is now president and chief executive officer of TechNet, said he would give the IT industry a B-minus for cybersecurity. Improvements "are not going to happen as fast as we'd like," White said, adding that self-regulation by people who know the industry will produce better cybersecurity.

Bruce Schneier, chief technology officer at Counterpane Internet Security, defended regulation, but with a caveat. "Regulation will stifle innovation," Schneier said, adding the public and lawmakers must choose between innovation and security. But it is important, he said, that companies bear the financial responsibility of their products' security vulnerabilities.

"The people who write the software don't bear the losses for their mistakes," Schneier said. "That fundamental economic disconnect needs to be rectified somehow."

Schneider said he would give industry a different cybersecurity grade than his colleagues. "I give them a C, but I grade on curve."


  • Defense
    Soldiers from the Old Guard test the second iteration of the Integrated Visual Augmentation System (IVAS) capability set during an exercise at Fort Belvoir, VA in Fall 2019. Photo by Courtney Bacon

    IVAS and the future of defense acquisition

    The Army’s Integrated Visual Augmentation System has been in the works for years, but the potentially multibillion deal could mark a paradigm shift in how the Defense Department buys and leverages technology.

  • Cybersecurity
    Deputy Secretary of Homeland Security Alejandro Mayorkas  (U.S. Coast Guard photo by Petty Officer 3rd Class Lora Ratliff)

    Mayorkas announces cyber 'sprints' on ransomware, ICS, workforce

    The Homeland Security secretary announced a series of focused efforts to address issues around ransomware, critical infrastructure and the agency's workforce that will all be launched in the coming weeks.

Stay Connected