The Business Roundtable report

[David Farber <dave () farber net>]

Begin forwarded message:

From: William L Scherlis <scherlis () cs cmu edu>
Date: May 20, 2004 9:14:03 PM PDT
To: dfarber () cs cmu edu
Cc: Bill Scherlis <scherlis () cs cmu edu>
Subject: The Business Roundtable report


Dave,

I think the Business Roundtable report (as it is reported) is a
positive development for US software-related industries, and its
stakeholders, both.  There is competitive advantage and
differentiation to be gained if software organizations can reach a
level of sophistication that enables them to make promises about
the systems they produce.  It is clear that this kind of
fundamental change must be driven by the market.  

While government has been a source of "leading demand" in this
regard for many years, its buying power (even in the aggregate) is
insufficient when bluntly used to try to force such a profound
cultural change.  Government can stimulate change only when it
combines its buying power with acting in its traditional leveraged
mission-R&D management style.  But it seems to have stepped aside
from this model for the past five years or so, suggesting that
instead "industry will do it."  

This defies both the economics of the industry and the historical
truth of the past 50-years of IT innovation.

Really, there are (at least) two necessary ingredients: 

(1) A strong message from the market.  The Business Roundtable
action below is good evidence this is really happening.  Other
good evidence is Microsoft's market/technical response to the
message, which includes progress regarding bluescreens (watson,
Slam, etc.), rapid security patch distribution (automatic
notification, rapid update), and the like.

(2) Ability in the R&D community to implement enough of the
critical elements of an engineering solution in the near term
that there will be confidence that investment in a better future
will pay off.  My belief is that this is also happening,
particularly in specialist applications in industry (viz. the new
generation of quality tools at Microsoft and IBM, in particular).

The emerging evidence in support of this case is recent -- only in
the last 3-5 years.  The combination of this new evidence with the
rapid escalation of need creates a urgency for action.  

The real story, now, is not about cybersecurity needs and Grand
Challenges.

It is instead about the emerging technical opportunities and the
suddenly real possibility of actionable Grand Strategies.  These
must involve government, industry, and academia in genuine public-
private partnerships.

Certaintly, there will be innovation and consequent disruption, but
let's keep in mind that the 50-year history of IT innovation (for
government and business) is in fact a history of ongoing
disruption.  The successful domestic major players (vendors, SIs,
and major user organizations) know how to manage this kind of
change -- and this knowledge gives them enormous market advantage
over firms whose principal stake is in the status quo.  These
latter firms will need to learn to adapt.

My point is that this report is a positive development, and we
should not only welcome changes that lead to improved
trustworthiness, dependability, security, etc., but also assist in
bringing them about.  The tip that is about to happen is of great
significance for both national and economic security.  

We should not fear innovation and disruption, and, even more
importantly, we should not fear appropriate participation from
government with respect to both (1) its traditional historic role
in strategic non-appropriable / pre-normative R&D and (2) leveraged
use of its buying power (cf. the comment above), particularly in
acting in its long-term interest (its leading demands, e.g., for
high security and dependability) in its own supply chain for
government IT capability.

Bill
****************

Words from the Business Roundtable report:

"Most of the significant cyber incidents that have harmed
American business and consumers over the past several years have
had at their root cause defective and readily exploitable
software code.

"Most software development processes used today do not
incorporate effective tests, checks, or other safeguards, to
detect those defects that result in product vulnerabilities"

See reporting in 
http://www.washingtonpost.com/

Old Economy Fed Up With Cyber-Security -- By Jonathan Krim
Thursday, May 20, 2004; Page E01

****************