Market forces alone are unlikely to create the necessary incentives for businesses to make significant improvements in security, according to a study published this month by the Brookings Institution.
The study, "Interdependent Security: Implications for Homeland Security Policy and Other Areas," released Oct. 17 by the Washington-based public policy think tank, argues that the shared-risk nature of today's security environment actually discourages companies from making the sometimes costly investments in security.
In addition, the report states that when industry-leading companies fail to invest in certain security precautions -- because of cost or other reasons -- the knowledge that those companies aren't making such investments can help "clinch a decision not to proceed" at other firms.
"In these circumstances, an entire industry may be unwilling to take reasonable precautions against catastrophe," according to the report. Therefore, "a combination of regulations, insurance and third-party inspections offers the most auspicious approach to improving security at reasonable economic cost."
The Brookings study comes at a time when many in the private sector, including experts from various software developers and security service providers, have been quietly expressing dissatisfaction with the White House's recently released National Strategy to Secure Cyberspace. According to some industry and Wall Street observers, the plan's reliance on market forces to drive security investments in the private sector is its Achilles' heel. When asked recently if they thought the plan's market-focused approach would work, a group of Wall Street venture capital experts and CEOs simply shook their heads and laughed.
Howard Schmidt, vice chairman of the President's Critical Infrastructure Protection Board, said in a telephone interview from Pittsburgh, where he was attending the latest of the White House's Town Hall Meetings on the national strategy plan, that the Brookings study is but one perspective on the role and definition of market forces.
"I've seen a tremendous shift in awareness and the way people look at what they expect from the market," said Schmidt. "We don't think the answer is going to be as Draconian as [the Brookings study] indicates. Market forces does not only apply to the development of software and hardware. It also applies to the need for individual organizations to secure their environment."
In an interview last month on the topic, Richard Clarke, chairman of the President's Critical Infrastructure Protection Board, acknowledged the existence of a "middle ground" between government regulation and industry self-regulation.
"There are laws already on the books that generally require IT security measures," he said at the time. While those regulations may be tweaked, there are no plans to propose new ones, Clarke said.
"Market forces alone do nothing to address the [lack of perceived threat] that exists within the private sector," said Jon Karlen, general manager of contactless technologies at NTRU Cryptosystems Inc. in Burlington, Mass. "Companies have little incentive to bear the costs of protecting against an event that is highly unlikely to target them individually."
However, because most corporate executives still view security as an expense with no tangible return on investment, "market forces won't influence anything in the purest sense," said Keith Morgan, chief of information security at Terradon Communications Group LLC, a Nitro, W.Va.-based content management firm. "If we just rely on the corporation's good faith, or consumer demand, we'll be waiting a while."
Morgan, like others, would like to see the government get tough with companies that fail to take some sort of minimum appropriate action to ensure their systems are secure. That could come in the form of legislation that assigns financial liability for operating insecure systems, he said. But not everybody is ready to ask for more government.
"I agree that reliance on market forces alone will not appreciably move the industry forward," said Michael Karaman, senior vice president and chief technology officer at The MedStat Group Inc. in Ann Arbor, Mich. "On the other hand, I would dread having the government heavy-handedly dictate appropriate security measures."
Karaman said he would be more supportive of "a hybrid approach" that relies on a mix of government regulation and independent, for-profit security assessment agencies that could give firms a stamp of approval.
But many, like Karlen and Russ Cooper, the surgeon general of TruSecure Corp. in Herndon, Va., who has come out publicly against the White House's hands-off approach, think the government is the only institution that can force real change.
"As a central authority, the government is in the best position to institute guidelines to be followed by the private sector and, where appropriate, bear the costs of the security infrastructure," said Karlen. "Left on its own, the private sector will never have the proper incentive to cooperate to the extent required to provide adequate homeland security."