<http://news.com.com/2102-7348_3-5579963.html?tag=st.util.print> CNET News Time to regulate the software industry? By Dawn Kawamoto Story last modified Wed Feb 16 20:20:00 PST 2005 SAN FRANCISCO--A panel of security experts on Wednesday debated the merits of regulating the software industry to curtail software flaws--and hence reduce the volume of virus attacks. With software flaws serving as the open door to viruses and worms, a panel of industry experts at the RSA Conference here debated whether it's time to regulate software companies. The experts were mixed on the effectiveness of such a plan and whether it could be undertaken without curtailing innovation. "The issue is not to regulate or not," said Harris Miller, president of the Information Technology Association of America. "Our industry is all about innovation, and my concern with regulation is it's often the enemy of innovation." In that same vein, Rick White, chief executive of technology advocacy group TechNet, said the industry should come together and develop guidelines for best practices on developing software with minimal flaws, rather than imposing regulations. "Congress will never solve the problem as well as the people who work in the industry," said White, a former congressman from Washington state. But other panelists were not as sure. Dick Clarke, chairman of Good Harbor Consulting and former presidential special advisor on cybersecurity, noted efforts to have industries develop guidelines and follow through have failed in the past. He pointed to a deal Michael Powell, outgoing Federal Communications Commission chairman, struck with Internet service providers (ISPs). Powell held a meeting with ISPs, where in they developed guidelines. And although Powell threatened to regulate their industry if they did not abide by those guidelines, the ISPs did not adhere to those self-imposed practices, Clarke said. "Powell bluffed them. They knew it, and now he is leaving office," Clarke said. Other panelists, such as encryption expert and author Bruce Schneier, also called for more action in prompting software vendors to vet through their code before releasing it to the market. "If we make it in their best interest to do this, then it will happen. You need to find a set of financial incentives," Schneier said. "Regulations would increase the cost of not doing security, and that would increase security (testing)." He noted companies that currently take the time to test the security of their software before releasing it to the markets are at a disadvantage--higher costs and potential late arrival to the market. Additional financial incentives may come from customers demanding a certain level of security testing from a vendor, before agreeing to sign a contract to purchase their products, Schneier said. In offering a post Sept. 11, 2001, warning, Clarke said: "Regulation is neither good nor bad...but the industry should bear this in mind. After we have an incident, regulations will be much worse." -- ----------------- R. A. Hettinga <mailto: rah@ibuc.com> The Internet Bearer Underwriting Corporation <http://www.ibuc.com/> 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'