Point/Counterpoint: Federal IT Security Regulation

Point: Bruce Schneier / Counterpoint: Marcus Ranum

Regulations are a good idea, but they need to have teeth – which means that there need to be serious consequences for non-compliance, not cheerful slaps on the wrist. Every year the Department of Whatever gets written up as having gotten a ‘D-’ in FISMA compliance but someone is quick to point out that ‘D-’ is a huge improvement over last year’s score of ‘F’. I suppose we’re supposed to be impressed that our taxpayers’ dollars are achieving results of "sucks" instead of "sucks abysmally" but I am not. The whole idea of mandating some kind of security regulation is to establish a minimum consistent practice – i.e.: introductory level stuff. I’m sorry if I sound like a hard-case, but "attaboys" should not be handed out for even excellent compliance with a remedial baseline! This isn’t a political correctness feel-good game in which every child wins his or her own special prize – this is a serious matter. Our federal agencies are spending serious dollars and their moving from an ‘F’ to a ‘D-‘ is not evidence of accomplishment; it is evidence of incompetence, mismanagement, and waste.

As Bruce says, moving toward liability instead of regulation is an attractive-seeming approach. But anyone who has spent time training animals will tell you that you can’t train an animal simply by punishing it into doing the right thing. Holding companies, agencies, or individuals liable is simply punishing them; you need a specification of that minimal baseline that you can communicate effectively. Did you notice the word "consistent" that I used, earlier? One of the little thunder-clouds in the information security horizon is the notion I’ve heard bandied about that FISMA, SARBOX, HIPAA, etc (which are already extremely watered-down) are likely to get more watered-down in the future. One IT executive I was talking with yesterday opined that it would have been a successful strategy to simply ignore HIPAA for a couple of years because the costs of compliance have been dropping faster than the down-side for non-compliance has risen. It’s naïve to think that individuals or governments are going to be able to hold people who think like that liable – they’re already smarter than the regulators and have a vastly superior understanding of arbitraging and deflecting risk. On the federal side, when the message to agency IT managers and execs is "comply or we’ll, um, tell you to comply some more!" you can see why the entire regulatory exercise has resulted in a paper tiger. Dare I say, a paper tiger without even teeth or claws.

I am totally in favor of federal IT regulation. In fact, I’d love to help write some. Unfortunately, mine would make people cry because they’d have rules like, "If your agency has to admit that 10+ terabytes of data have left your network headed for China, and you just now noticed, every manager in your IT organization from the CIO down gets a pink slip." I know, I know, you don’t have to tell me nobody ever gets fired from a government job – no matter how incompetent they may be – but maybe that’s got something to do with why things are such a mess out there. We need federal IT security regulation. But what we need is regulations that read like they were written by Napoleon Bonaparte and that are enforced by Vlad the Impaler – not the kind of Alfred E. Neuman stuff we’ve got right now.

The balancing-point between regulation and liability is probably the one place where I disagree most strongly with Bruce, in the entire spectrum of security. Bruce is right: regulation is all about economics, but so is liability. And the problem with adopting an economic perspective on security is that it encourages people to believe that there are trade-offs where, perhaps, none really exist. When a US Marine Corps Drill Sergeant tells you it’s time to charge up the hill as fast as you can, you don’t get to sit down and perform an economic analysis between the marginal probability he’ll bite your head off and the expected calorie cost of compliance. You start running and you don’t look back or complain. Allowing security to driven by liability means that you’ve still turned it into an economic problem, only the economics are now under the control of lawyers and liability quants. None of the folks who want to approach security as an economic problem "get it" – intelligence warfare (which is what we’re dealing with) presents costs that may not be measurable, or may be measurable only in a generational scale through the fall of a great republic. You just can’t put a price-tag on that, and a ‘D-‘ in the game of empire is not a passing score.

My feelings about federal security regulation mirror Ghandi’s famous comment regarding western civilization: "It would be nice." But, please, let’s make sure that any regulations we enact have sharp teeth!