Clashing over cybersecurity

SAN FRANCISCO — Sharp exchanges among information technology industry leaders and critics during a discussion at the RSA Security Conference suggest that consensus on regulating cybersecurity will be difficult to reach.

The closest opponents came to agreeing was on requiring software companies to disclose the degree to which they follow industry best practices for writing secure software. "The market works better when it's informed," said Richard Clarke, the former U.S. cybersecurity czar who is now chairman of Good Harbor Consulting.

Arguing for regulation of the IT industry, Clarke said caustically, "Industry doesn't want to be regulated. There's a surprise. Industry only responds when you threaten regulation."

Harris Miller, president of the Information Technology Association of America, said the IT industry opposes regulation for a number of reasons, which he said include its stifling effect on innovation. Miller also said enough legislation already exists to regulate cybersecurity and that industry is making progress.

ITAA officials will release a report today on industry's cybersecurity progress. Miller said he would give industry a B-minus, with the exception of the telecommunications and financial services industries. But the federal government, he added, hasn't exactly been a good cybersecurity role model.

Rick White, a former U.S. congressman who is now president and chief executive officer of TechNet, said he would give the IT industry a B-minus for cybersecurity. Improvements "are not going to happen as fast as we'd like," White said, adding that self-regulation by people who know the industry will produce better cybersecurity.

Bruce Schneier, chief technology officer at Counterpane Internet Security, defended regulation, but with a caveat. "Regulation will stifle innovation," Schneier said, adding the public and lawmakers must choose between innovation and security. But it is important, he said, that companies bear the financial responsibility of their products' security vulnerabilities.

"The people who write the software don't bear the losses for their mistakes," Schneier said. "That fundamental economic disconnect needs to be rectified somehow."

Schneider said he would give industry a different cybersecurity grade than his colleagues. "I give them a C, but I grade on curve."