Free Market Seen as FISMA Alternative

Cato: Feds as Force to Mature IT Market
Free Market Seen as FISMA Alternative
A leading free market thinker proposes that technology vendors guarantee the security they build into their IT wares, but in return, the government would pay more for those technologies.

"As a large market participant, the federal government can have a good influence on the security ecology without resorting to intrusive regulation," says Jim Harper, director of information policy studies at The Cato Institute, a libertarian think tank. "Whether it creates a gold standard for security in technologies purchased in the private sector, or whether it moves the market toward contract-based liability for technology sellers, the federal government can help the technology market mature."

The federal government is among the largest purchasers of IT, and though Harper says this isn't the preferred state from his perspective, there's little reason to deny that its purchasing decisions can influence improvement in off-the-shelf technology.

Harper points out that the market for communications and computing technologies is very immature. "Many products are rushed to market without adequate security testing; many are delivered with insecure settings enabled by default," he says. "My impression also is that most are sold without any warranty of fitness for the purposes users will put them to, leaving all risk of failure with buyers who are poorly positioned to make sound security judgments."

Because of the National Institute of Standards and Technology (NIST) and other entities, Harper says, the federal government is among the most sophisticated purchasers of technology. "The government can drive maturation in the market for technology products by setting standards and defaults for the products and services it buys," he says.

And, Harper says, the federal government could insist shifting the risk of loss from the buyer - the government - to the seller - vendors and service providers because of its size, but at a price. "Federal buyers should expect to pay more if they demand fitness and security guarantees, of course, but more secure products have more value," Harper says. "Sellers will have to do more thorough development and more rigorous security testing. Because they currently bear little or no risk of loss, technology sellers will probably howl at the prospect of bearing risk, but ready to step in will be technology sellers willing to produce better, more secure, and more reliable products for the premium that gets them."

Harper suggests the shift in risk is a free market alternative to the Federal Information Security Management Act or at least as a complement to the law that governs federal government IT security.

"If the federal government knew how to do cybersecurity well, FISMA would be a to-do list that more or less secured the federal enterprise," Harper says. "We would not have the cybersecurity problem all agree we have."

Harper's comments came in prepared testimony he delivered last week to the House Science and Technology Committee's Subcommittee on Technology and Innovation.

About the Author

Eric Chabrow

Eric Chabrow

Retired Executive Editor, GovInfoSecurity

Chabrow, who retired at the end of 2017, hosted and produced the semi-weekly podcast ISMG Security Report and oversaw ISMG's GovInfoSecurity and InfoRiskToday. He's a veteran multimedia journalist who has covered information technology, government and business.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.