Time to regulate the software industry?

Thu Feb 17 09:41:58 PST 2005

<http://news.com.com/2102-7348_3-5579963.html?tag=st.util.print>

CNET News

 By Dawn Kawamoto

 Story last modified Wed Feb 16 20:20:00 PST 2005

 SAN FRANCISCO--A panel of security experts on Wednesday debated the merits
of regulating the software industry to curtail software flaws--and hence
reduce the volume of virus attacks.

With software flaws serving as the open door to viruses and worms, a panel
of industry experts at the RSA Conference here debated whether it's time to
regulate software companies. The experts were mixed on the effectiveness of
such a plan and whether it could be undertaken without curtailing
innovation.

 "The issue is not to regulate or not," said Harris Miller, president of
the Information Technology Association of America. "Our industry is all
about innovation, and my concern with regulation is it's often the enemy of
innovation."

 In that same vein, Rick White, chief executive of technology advocacy
group TechNet, said the industry should come together and develop
guidelines for best practices on developing software with minimal flaws,
rather than imposing regulations.

 "Congress will never solve the problem as well as the people who work in
the industry," said White, a former congressman from Washington state.

 But other panelists were not as sure.

 Dick Clarke, chairman of Good Harbor Consulting and former presidential
special advisor on cybersecurity, noted efforts to have industries develop
guidelines and follow through have failed in the past. He pointed to a deal
Michael Powell, outgoing Federal Communications Commission chairman, struck
with Internet service providers (ISPs).

Powell held a meeting with ISPs, where in they developed guidelines. And
although Powell threatened to regulate their industry if they did not abide
by those guidelines, the ISPs did not adhere to those self-imposed
practices, Clarke said.

 "Powell bluffed them. They knew it, and now he is leaving office," Clarke
said.

 Other panelists, such as encryption expert and author Bruce Schneier, also
called for more action in prompting software vendors to vet through their
code before releasing it to the market.

 "If we make it in their best interest to do this, then it will happen. You
need to find a set of financial incentives," Schneier said. "Regulations
would increase the cost of not doing security, and that would increase
security (testing)."

 He noted companies that currently take the time to test the security of
their software before releasing it to the markets are at a
disadvantage--higher costs and potential late arrival to the market.

 Additional financial incentives may come from customers demanding a
certain level of security testing from a vendor, before agreeing to sign a
contract to purchase their products, Schneier said.

 In offering a post Sept. 11, 2001, warning, Clarke said: "Regulation is
neither good nor bad...but the industry should bear this in mind. After we
have an incident, regulations will be much worse."

-- 
-----------------
R. A. Hettinga <mailto: rah at ibuc.com>
The Internet Bearer Underwriting Corporation <http://www.ibuc.com/>
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'