Report: Market forces not enough to improve security

[InfoSec News <isn () c4i org>]

Forwarded from: Bob <bob () globaldevelopment org>

http://www.idg.net/ic_959229_4394_1-1681.html

By DAN VERTON
OCTOBER 24, 2002
Computer World

Market forces alone are unlikely to create the necessary incentives
for businesses to make significant improvements in security, according
to a study published this month by the Brookings Institution.

The study, "Interdependent Security: Implications for Homeland
Security Policy and Other Areas," released Oct. 17 by the
Washington-based public policy think tank, argues that the shared-risk
nature of today's security environment actually discourages companies
from making the sometimes costly investments in security.

In addition, the report states that when industry-leading companies
fail to invest in certain security precautions -- because of cost or
other reasons -- the knowledge that those companies aren't making such
investments can help "clinch a decision not to proceed" at other
firms.

"In these circumstances, an entire industry may be unwilling to take
reasonable precautions against catastrophe," according to the report.
Therefore, "a combination of regulations, insurance and third-party
inspections offers the most auspicious approach to improving security
at reasonable economic cost."

The Brookings study comes at a time when many in the private sector,
including experts from various software developers and security
service providers, have been quietly expressing dissatisfaction with
the White House's recently released National Strategy to Secure
Cyberspace. According to some industry and Wall Street observers, the
plan's reliance on market forces to drive security investments in the
private sector is its Achilles' heel. When asked recently if they
thought the plan's market-focused approach would work, a group of Wall
Street venture capital experts and CEOs simply shook their heads and
laughed.

Howard Schmidt, vice chairman of the President's Critical
Infrastructure Protection Board, said in a telephone interview from
Pittsburgh, where he was attending the latest of the White House's
Town Hall Meetings on the national strategy plan, that the Brookings
study is but one perspective on the role and definition of market
forces.

"I've seen a tremendous shift in awareness and the way people look at
what they expect from the market," said Schmidt. "We don't think the
answer is going to be as Draconian as [the Brookings study] indicates.
Market forces does not only apply to the development of software and
hardware. It also applies to the need for individual organizations to
secure their environment."

In an interview last month on the topic, Richard Clarke, chairman of
the President's Critical Infrastructure Protection Board, acknowledged
the existence of a "middle ground" between government regulation and
industry self-regulation.

"There are laws already on the books that generally require IT
security measures," he said at the time. While those regulations may
be tweaked, there are no plans to propose new ones, Clarke said.

"Market forces alone do nothing to address the [lack of perceived
threat] that exists within the private sector," said Jon Karlen,
general manager of contactless technologies at NTRU Cryptosystems Inc.
in Burlington, Mass. "Companies have little incentive to bear the
costs of protecting against an event that is highly unlikely to target
them individually."

However, because most corporate executives still view security as an
expense with no tangible return on investment, "market forces won't
influence anything in the purest sense," said Keith Morgan, chief of
information security at Terradon Communications Group LLC, a Nitro,
W.Va.-based content management firm. "If we just rely on the
corporation's good faith, or consumer demand, we'll be waiting a
while."

Morgan, like others, would like to see the government get tough with
companies that fail to take some sort of minimum appropriate action to
ensure their systems are secure. That could come in the form of
legislation that assigns financial liability for operating insecure
systems, he said. But not everybody is ready to ask for more
government.

"I agree that reliance on market forces alone will not appreciably
move the industry forward," said Michael Karaman, senior vice
president and chief technology officer at The MedStat Group Inc. in
Ann Arbor, Mich. "On the other hand, I would dread having the
government heavy-handedly dictate appropriate security measures."

Karaman said he would be more supportive of "a hybrid approach" that
relies on a mix of government regulation and independent, for-profit
security assessment agencies that could give firms a stamp of
approval.

But many, like Karlen and Russ Cooper, the surgeon general of
TruSecure Corp. in Herndon, Va., who has come out publicly against the
White House's hands-off approach, think the government is the only
institution that can force real change.

"As a central authority, the government is in the best position to
institute guidelines to be followed by the private sector and, where
appropriate, bear the costs of the security infrastructure," said
Karlen. "Left on its own, the private sector will never have the
proper incentive to cooperate to the extent required to provide
adequate homeland security."



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.