The topic of regulating cybersecurity sparked a contentious debate between industry experts Wednesday at the RSA Conference.
"The industry only responds when you threaten regulation," said Richard Clarke, former White House cybersecurity czar and chairman of Good Harbor Consulting.
For ISPs to be connecting someone's mother to broadband without putting a firewall on that connection is a crime, he said. The reason why the internet is plagued by so many "zombie" networks of compromised computers is because ISPs aren't putting firewalls on broadband connections, Clarke added.
Bruce Schneier, CTO of Counterpane Internet Security, said regulations would help change the tradeoffs companies make when they invest in security and increase the cost of not implementing security, possibly through the threat of lawsuits.
"I want to make it in their financial best interest" to provide security," he said.
But Harris Miller, president of the Information Technology Association of America, said, "Our industry is all about innovation. Regulation often becomes the enemy of innovation."
He argued that there are already plenty of laws on the books, such as Sarbanes Oxley that affect cybersecurity, and that there are plenty of shared liabilities in the industry, such as service level agreements.
Rick White, president and CEO, TechNet, said Congress will never solve the problem of cybersecurity as well as those in the trenches dealing with it every day.
"It's better if we let people on the ground who understand these things deal with it," he said.
White said the industry should be given a little more time to tackle the cybersecurity problem instead of resorting to regulations and accused Clarke of wanting to throw companies in jail, but Clarke said he only supports fines and asked how many years have to pass before ISPs implement firewalls on broadband connections.
To those who oppose regulations, Clarke warned: "After we have a major incident, there will be much worse regulation."
Mixed up in the debate was the issue of software liability. "Right now we have an economic problem that people who write software don't bear losses for their mistakes," said Schneier.
However Miller said vendors are responding to customers' demands for security. Why else would Microsoft Chairman Bill Gates appear at the security conference, he asked. "Because it's cheaper than spending the money [on security]," Schneier quipped, drawing laughter from the audience.
Miller said software liability would only drive out innovation by making it impossible for a vendor to release a product without being sued.
Clarke said he does not support making software makers liable but said something has to be done to improve software quality. He suggested that software vendors be forced to disclose whether they are conforming to a set of security standards.
Scheier said some regulation, such as Gramm Leach Bliley, is helping to promote best practices. Miller noted that BITS, a financial services industry group, has told vendors to meet certain security standards: "That's customers saying 'we have certain expectations otherwise we won't buy'."