[ISN] Report: Market forces not enough to improve security

From: InfoSec News (isnat_private)
Date: Mon Oct 28 2002 - 04:15:09 PST

  • Next message: InfoSec News: "Re: [ISN] INFOSEC: Certifiably Certified"

    Forwarded from: Bob <bobat_private>
    OCTOBER 24, 2002
    Computer World
    Market forces alone are unlikely to create the necessary incentives
    for businesses to make significant improvements in security, according
    to a study published this month by the Brookings Institution.
    The study, "Interdependent Security: Implications for Homeland
    Security Policy and Other Areas," released Oct. 17 by the
    Washington-based public policy think tank, argues that the shared-risk
    nature of today's security environment actually discourages companies
    from making the sometimes costly investments in security.
    In addition, the report states that when industry-leading companies
    fail to invest in certain security precautions -- because of cost or
    other reasons -- the knowledge that those companies aren't making such
    investments can help "clinch a decision not to proceed" at other
    "In these circumstances, an entire industry may be unwilling to take
    reasonable precautions against catastrophe," according to the report.
    Therefore, "a combination of regulations, insurance and third-party
    inspections offers the most auspicious approach to improving security
    at reasonable economic cost."
    The Brookings study comes at a time when many in the private sector,
    including experts from various software developers and security
    service providers, have been quietly expressing dissatisfaction with
    the White House's recently released National Strategy to Secure
    Cyberspace. According to some industry and Wall Street observers, the
    plan's reliance on market forces to drive security investments in the
    private sector is its Achilles' heel. When asked recently if they
    thought the plan's market-focused approach would work, a group of Wall
    Street venture capital experts and CEOs simply shook their heads and
    Howard Schmidt, vice chairman of the President's Critical
    Infrastructure Protection Board, said in a telephone interview from
    Pittsburgh, where he was attending the latest of the White House's
    Town Hall Meetings on the national strategy plan, that the Brookings
    study is but one perspective on the role and definition of market
    "I've seen a tremendous shift in awareness and the way people look at
    what they expect from the market," said Schmidt. "We don't think the
    answer is going to be as Draconian as [the Brookings study] indicates.
    Market forces does not only apply to the development of software and
    hardware. It also applies to the need for individual organizations to
    secure their environment."
    In an interview last month on the topic, Richard Clarke, chairman of
    the President's Critical Infrastructure Protection Board, acknowledged
    the existence of a "middle ground" between government regulation and
    industry self-regulation.
    "There are laws already on the books that generally require IT
    security measures," he said at the time. While those regulations may
    be tweaked, there are no plans to propose new ones, Clarke said.
    "Market forces alone do nothing to address the [lack of perceived
    threat] that exists within the private sector," said Jon Karlen,
    general manager of contactless technologies at NTRU Cryptosystems Inc.
    in Burlington, Mass. "Companies have little incentive to bear the
    costs of protecting against an event that is highly unlikely to target
    them individually."
    However, because most corporate executives still view security as an
    expense with no tangible return on investment, "market forces won't
    influence anything in the purest sense," said Keith Morgan, chief of
    information security at Terradon Communications Group LLC, a Nitro,
    W.Va.-based content management firm. "If we just rely on the
    corporation's good faith, or consumer demand, we'll be waiting a
    Morgan, like others, would like to see the government get tough with
    companies that fail to take some sort of minimum appropriate action to
    ensure their systems are secure. That could come in the form of
    legislation that assigns financial liability for operating insecure
    systems, he said. But not everybody is ready to ask for more
    "I agree that reliance on market forces alone will not appreciably
    move the industry forward," said Michael Karaman, senior vice
    president and chief technology officer at The MedStat Group Inc. in
    Ann Arbor, Mich. "On the other hand, I would dread having the
    government heavy-handedly dictate appropriate security measures."
    Karaman said he would be more supportive of "a hybrid approach" that
    relies on a mix of government regulation and independent, for-profit
    security assessment agencies that could give firms a stamp of
    But many, like Karlen and Russ Cooper, the surgeon general of
    TruSecure Corp. in Herndon, Va., who has come out publicly against the
    White House's hands-off approach, think the government is the only
    institution that can force real change.
    "As a central authority, the government is in the best position to
    institute guidelines to be followed by the private sector and, where
    appropriate, bear the costs of the security infrastructure," said
    Karlen. "Left on its own, the private sector will never have the
    proper incentive to cooperate to the extent required to provide
    adequate homeland security."
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Mon Oct 28 2002 - 07:06:45 PST