Free Market Seen as FISMA Alternative
Cato: Feds as Force to Mature IT Market
"As a large market participant, the federal government can have a good influence on the security ecology without resorting to intrusive regulation," says Jim Harper, director of information policy studies at The Cato Institute, a libertarian think tank. "Whether it creates a gold standard for security in technologies purchased in the private sector, or whether it moves the market toward contract-based liability for technology sellers, the federal government can help the technology market mature."
The federal government is among the largest purchasers of IT, and though Harper says this isn't the preferred state from his perspective, there's little reason to deny that its purchasing decisions can influence improvement in off-the-shelf technology.
Harper points out that the market for communications and computing technologies is very immature. "Many products are rushed to market without adequate security testing; many are delivered with insecure settings enabled by default," he says. "My impression also is that most are sold without any warranty of fitness for the purposes users will put them to, leaving all risk of failure with buyers who are poorly positioned to make sound security judgments."
Because of the National Institute of Standards and Technology (NIST) and other entities, Harper says, the federal government is among the most sophisticated purchasers of technology. "The government can drive maturation in the market for technology products by setting standards and defaults for the products and services it buys," he says.
And, Harper says, the federal government could insist shifting the risk of loss from the buyer - the government - to the seller - vendors and service providers because of its size, but at a price. "Federal buyers should expect to pay more if they demand fitness and security guarantees, of course, but more secure products have more value," Harper says. "Sellers will have to do more thorough development and more rigorous security testing. Because they currently bear little or no risk of loss, technology sellers will probably howl at the prospect of bearing risk, but ready to step in will be technology sellers willing to produce better, more secure, and more reliable products for the premium that gets them."
Harper suggests the shift in risk is a free market alternative to the Federal Information Security Management Act or at least as a complement to the law that governs federal government IT security.
"If the federal government knew how to do cybersecurity well, FISMA would be a to-do list that more or less secured the federal enterprise," Harper says. "We would not have the cybersecurity problem all agree we have."
Harper's comments came in prepared testimony he delivered last week to the House Science and Technology Committee's Subcommittee on Technology and Innovation.