IT Security Regulations and Innovation

Photo by Keith Williamson

I was reading with interest this overview of the “Cyberwar Panel” at RSA 2011 and ran across this sentence about regulating IT security:

“Regulate results, not technology.” Schneier said. “If you regulate technology, you stifle innovation. If you regulate results, you incent innovation.”

I got to thinking what that could mean. It’s pretty obvious how to regulate results when you have a specific measurable goal such as smog reduction or crash safety standards. But how do you regulate results when the ideal result is “nothing happening?” It seems to me that there isn’t a meaningful way to regulate without regulating technology (at least to some level) and the rate of change in the world of computing and networking is just too high to allow that to work.

Then there was talk of modelling security regulations on Sarbanes-Oxley:

Chertoff called for a regulatory framework where company executives and board members sign on the dotted line, certifying what steps they have taken to secure their network, what backup systems they have in place and what level of resiliency is built into their IT system. “People take that seriously. Is it dramatic? No, but it moves the ball down the field,” Chertoff said.

Schneier concurred, noting that holding individuals at a company accountable for certain protections has worked with environmental regulations and Sarbanes-Oxley, the post-Enron law that requires directors and executives to certify their financial results.

Sarbanes-Oxley has certainly worked if the goal was to prevent companies from going public in the US. I don’t really think this is any kind of model to base regulations off of.

I personally think that the main reason we haven’t had a “Cyber Pearl Harbor” is due in large part to the absence of regulations. The rate of unfettered innovation has meant that the security environment is so diverse that it’s not possible to lauch such an attack at a single point. The Stuxnet worm is a good example. Not only is it probably the most advanced and complicated attack yet devised (and possibly with the resources a nation state behind it) but it also got nowhere near the destructive power that’s got regulators worried.

I’m not foolish enough to think that a “Cyber Peral Harbor” is impossible, but I also think that if such a thing is possible it’s going to be happening in a way that no foreward thinking (short of divine prophecy) is going to prevent. As soon as regulations come into play then technology will begin to homegenize and a single point of failure will become more obvious.

But I’m not a security expert, just some idiot with a keyboard, I’d love to hear what your thoughts are on the topic.