Mark Curphy had an interesting post last week titled "The Future : Regulation is Futile – Market Forces Will Prevail" with which I take a bit of an issue. In particular, I question his premise, that market forces are able to prevail in this day and age. I would counter that there are no real market forces any more, at least not in the US. Just the opposite, corporate interests have so pervaded life and politics that there is no objectivity and no free market. The US has entered into a prolonged period of protectionism (look at the post-9/11 landscape... look at the current treatment of borders...). Protectionism reduces the number of true level-set competitors in a field, effectively creating monopolies or oligopolies (*ahem* Big 3 anybody?), with the net effect being a reduction in competition, options, and, overall, quality. From the perspective of security and civil liberties, protectionism and an overt focus on corporate interests is a disservice to consumers.
Interestingly, the only place where Mark really tackles the notion of regulations and their role is in this bit:
Super Crunching – Regulations will not work. “You can’t regulate the problem away”. Market forces drive economic change and when the cost of security becomes something everyone considers, people will act on Fact and not FUD. In order to get to a place where people can make informed decisions; you know like “what’s the real likelihood that this XSS will actually get exploited or show up in the media” or “How many security bugs per KLOC is an acceptable ratio” we need to be able to perform detailed analytics. This means data warehousing and mathematical analysis. The reason an insurance actuary can provide a price for me to drive a Ferrari is that there is empirical data to show that a rich middle aged man who goes out and buys a Red Ferrari is more likely to wrap it around a pole (showing off to his blonde bimbo mistress) within a few months than a middle income guy who chooses to drive an Aston Martin DB5 and just loves cars. Market forces (insurance) will drive change. Market forces require empirical data to provide a framework in which to trade.
This quote is a bit of fantasy, for several reasons.
First, the so-called "market forces" have to exist in a competitive landscape where consumer opinion is actually considered. In the current age, this does not seem to be particularly true or accurate.
Second, to believe in this age that people will ever consider "Fact" over "FUD" is, I think, sheer folly. One need only look at the surging charismatic Christian movement tied to the fundamentalists within the GOP to see that there is a significant portion of the country that is far more interested in FUD. Look at all the FUD-based arguments used consistently by the GOP in the face of any legislation they disagree with these days.
Third, yes, I agree, we absolutely need to be able to perform detailed analytics. Now, if I could just find that hidden stack of data covering the last 40 years of computing. Oh, right, it doesn't exist. Sure, Verizon has produced a report 2 years running based on data breach investigations, which is helping. Sure, Whitehat Security is releasing quarterly reports. However, these are far short of the full picture. And, as much as I know Bayes can give us modeling with little or no data, the simple fact is that you have to have some data at some point to validate the model. To build a model and then never test it is not sound thinking.
Fourth, again, yes: "Market forces require empirical data..." - show me the data! More importantly, show me the regulation that requires disclose to an independent agency that can then develop and release non-identifying aggregate data. That would be extremely helpful.
Four Cases for Regulations
Following are four examples where regulations are needed and important.
Disclosure/Reporting
The first regulation that is much-needed today is one that creates a central reporting agency responsible for receiving all reports - not just on data breaches, but also on best practices, current state of security, number of entities with sensitive data, etc. Currently, there is no consistent requirement for reporting, and thus we're heavily reliant on self-reporting through organizations like Verizon Business.
Some have argued that such a requirement (along with the next one) would have a detrimental effect on company valuation. On the one hand I say "great!" because companies need to feel the impact of their improper risk management. On the other hand, I think we'd see a desensitization of the market to breach reporting after an initial spike until breaches themselves became less common.
Disclosure/Notification
Consumers need protection from corporations, and one such mechanism for accomplishing this would be through breach notification. Many states have such laws today, which is creating a high degree of complexity. It is thus time for a federal breach notification law that sets a reasonably low threshold triggering a notice, but that also sets multiple notification methods (mail, email, TXT/SMS, phone call, etc.).
Privacy/Consumer Protection
As noted in my earlier post, "The New School of Privacy", it's time to update legislation to reinstate reasonable consumer protections when it comes to personally identifiable data. As we're finding out, it doesn't even take all that many data points to make something personally-identifiable. To expect that corporations will of their own accord protect this data - and, by extension, consumers - is sheer folly. The age when corporations acted in the best interest of citizens and society is over (did it ever exist?). Corporations act in their own self-interest. Thus, it's necessary for the government to push back where the citizenry cannot.
Reasonable Care / Due Diligence
This idea will be the most controversial, but I think it's absolutely necessary. While the T.J. Hooper case established a precedent for standard of care with technology, the effect seems to be highly limited today. As such, the bar needs to be raised. In many ways, I marvel at the federal requirement for government to use NIST standards and practices, while corporations are under no such burden.
Shaping this type of legislation would be a terrible challenge, and enforcement would be even worse. Frankly, the state of enforcement is screwed up beyond repair. Auditing IT is a failed concept, and one that needs to be thrown away. To think that a quarterly or annual checklist audit will demonstrate a standard of care is absurd, since technology changes so rapidly.
Instead, I think we need a combination of approaches that, in particular, introduce very real liability concerns for all corporations, regardless of size. At the same time, I think there needs to be a forced re-leveling of the field. For example, banks and credit card companies are much better able to address security concerns than are the average small businesses. Yet, industry regulations (*ahem* PCI) put the onus squarely onto the shoulders of those who are not well-suited to handle it. Why is this?
One way to accomplish this objective would be to follow Ed Bellis' call for removing the value of the data (see his inaugural CSO post here for more info). However, it seems unlikely to me that corporations will do this on their own. Consider that we're still using 1974 technology (mag stripe cards) in the face of superior alternatives. If large multi-national corporations are not willing to shoulder incremental improvements voluntarily, then it is incumbent upon the government to re-balance the scales.
There is likely more that can be done in this area of reasonable care and due diligence. For instance, require that a minimum level of risk management be formally implemented, leveraging off an existing standard. Or, set a minimum benchmark for due care that, if met, reduces the statutory liability burden. At any rate, something needs to be done, because the current state of things is inadequate.
Last Thoughts...
Are federal regulations a panoply? Obviously not. And, in most cases I would agree that less regulation is better than more. However, if there's one thing that is painfully clear today, it's that corporations are not willing to act in the best interest of consumers, and by extension not in their own best interests. Now that we're on this path, it becomes the responsibility of a third party to correct the course, lest we end up smashed against the rocks. Requiring reporting and notification, setting a new standard of care for data privacy, and setting a minimum standard of care for data protection all seem to be reasonable targets for regulations.
This being said, regulations must be drafted by intelligent, knowledgeable, non-corporate forces. Leaving something so important to the political machine is naive, as is expecting that corporations will knowingly lock themselves into stringent regulations. Instead, a tremendous stroke of political willpower will have to be mustered, with the assistance of those seeking overall improvement and a righting of our way. Well-written and well-considered regulations can help us get to that point, but not on a whim.