The Internet Law and Public Policy Forum held a conference in Seattle this fall.
It saw speeches by information security vendors, companies with enterprises to secure and government officials. There were representatives from Europe, Asia and the United States. That the leaders in the internet community focused on this issue is news in and of itself. Everyone agreed on the need for greater information security. The problem is that no one came up with a methodology to make it worthwhile for companies in the current economic environment to implement information security measures on a broad basis.
This has been the practice and pattern for many years across a wide range of industries. While enterprises give lip service to the need for security, the costs in terms of software and equipment as well as personnel have resulted in a cybersecurity system with more holes in it than Swiss cheese.
If there is not a return on an investment this quarter, it most often does not get done. This economic reality makes our information-based economy vulnerable to attack. If we wish to avoid a cyber pearl harbor at the hands of terrorists or others hostile to Western economies, the world needs to find a way to change the incentive structures for corporations with respect to information security.
Some might advocate government regulation as the solution. If executives face penalties when they do not implement security measures, they will indeed implement the mandated solutions. Government regulation, however, comes with very significant costs. While the government can mandate action, it can also slow the technological development of whole industries. Regulation is also often used by incumbents as a tool to stop innovative new competitors. Regulation is also of limited effectiveness given the rapidly changing pace of technology, and the back and forth between defense and offense in information technology security.
There are cases where the private sector has done well in protecting information systems. Financial institutions are one important example. It is in the economic interest of banks to make sure their enterprises are secure. A breach can lead to theft of money. A failure can lead to a lack of faith of depositors and a run on the bank. Critical infrastructure industries and ISPs, which have a great deal at stake, have also made great progress. Some vendors whose reputations and thus future sales have been threatened by past breaches have recently made security a higher priority in their design process, Microsoft being one example.
These examples of private sector successes provide important lessons in this in terms of what we can do in the future. If we can change the economic incentives for companies, we may be able to change the inclination of companies to implement cybersecurity protections.
One way of doing this would be to create a private sector organization that would focus on information security globally. It could include information exchange, best practices, educational sessions and standards development. It could have industry-specific subgroups.
A key benefit to this approach is that it would spread out the costs of adopting information security practices and policies over many players, reducing the burden on individual companies. If participation were broad, it would also reduce any cost advantages that companies which did not adopt information security protections might have over those that do.
Moreover, by creating actual or de facto standards, such a group could create a tool by which companies' efforts could be measured. Customers, government officials and business partners could ask companies whether or not they complied with the industry standard.
Such a group could also have more impact globally than governmental efforts. Information security needs to be addressed on a transnational basis since computer networks span national boundaries. Government regulation cannot do this since a country's rules stop at its borders. Negotiation of treaties and the passage of implementing legislation takes several years at a minimum and is a very cumbersome process. A private sector group would not be subject to this limitation and could change its rules as events warrant.
The key step is for company representatives, government officials, and academic thought leaders to come together to see that such an organization is formed, before it is too late.
Edward Hearst is an e-business and government affairs consultant. He may be contacted at [email protected].