3rd Party Risk Management

IT Sector Regulation Appears Inevitable

Federally Imposed Rules Seen by 2015
IT Sector Regulation Appears Inevitable
In 2001, it was big news when a rogue employee stole 35,000 credit card numbers. Eight years later, the Heartland Payment Systems security breach exposed 130 million credit card accounts. Such breaches along with other woes with information technology products and services will likely lead to the government regulating the IT industry by the middle of the next decade, says Richard Hunter, a fellow and vice president at the IT advisory firm Gartner.

"Markets don't seem to have done it (self regulate) on their own so far," Hunter says in an interview with GovInfoSecurity.com (transcript below). "The progression in consequences for the public of failures in IT has been climbing pretty steadily and rather steeply in the last few years. ... Indeed, as information technology becomes more and more deeply imbedded in the fabric of society, there is no reason to believe that the consequences of IT failures will lessen over time."

Like the airlines, automotive, financial services, pharmaceutical and telecommunications industries, the government will regulate the IT sector, Hunter predicts.

"There's a trajectory that industries tend to follow; when an industry is extremely successful - that is to say that when an industry succeeds in moving its products and services right into the heart of daily life, regulation tends to follow. in the 20th century," Richard Hunter, a Gartner fellow and vice president, says in an interview with GovInfoSecurity.com.

"We saw the Food and Drug Administration, we saw regulation of telecom, we saw regulation of the airlines industry, we saw regulation of the automobile industry," he says. "I think the information technology industry has been extraordinarily successful in the last 40 to 50 years in increasing the importance of its products and services to almost every aspect of modern life. And, what usually happens in any industry when you reach that level of importance in society is that regulation takes place."

In the interview, Hunter discusses how:

Mounting pressure to regulate the IT industry has gained favor as the number of breaches have exponentially rocketed over the past decade.
Innovation could be stifled, especially for startups and the open source community that don't have the financial wherewithal of a Microsoft or Oracle to conduct the testing regulation likely would require.
IT vendors will produce off-the-shelf tiered products, including those for information security, that would assure a certain level of quality, for a price.

Eric Chabrow, GovInfoSecurity.com managing editor, interviewed Hunter.

ERIC CHABROW: Gartner predicts that IT products and services will likely be subjected to regulations by 2015. What type of regulations do you see the U.S. federal government imposing on IT vendors and providers?

RICHARD HUNTER: Essentially we believe that regulation will take the form of regulation of practitioners and regulation of the quality and fitness purpose of products and services so that products which fall into a particular functional class will be expected to meet requirements associated with that class.

This leads, in our view, the logical outcome of that sort of regime is tiered pricing and quality for IT products and services. So, for example, right now you buy a spreadsheet program from one of the vendors who makes them, and there are really no guarantees of any sort of quality or fitness or purpose associated with that spreadsheet. In the future, that will be the bottom tier of quality and you will pay a certain price for that level of quality.

At a higher level of quality, we might expect internal checks on the validity of calculations and formulas based on information that is contained in this spread sheet and a different price will be associated with that. At a still higher level of quality, we might see spreadsheets that incorporate calls to external databases to validate any data that are referenced from those databases in real time as the spreadsheet is executed and you will pay a third level of price for that.

In general, products will be certified as fit for purpose. There will be certain expectations associated with that fitness for purpose and we can expect pricing that goes with the level of quality that is associated with a particular product.

CHABROW: This would be something that the government would mandate for itself or others?

HUNTER: We would expect this to be a requirement of any vendor, or for that matter any user IT organizations whose products and services have implications for public finances, health, security, welfare, safety and so one. In other words, for any vendor whose products or services have potential serious consequences for the well being of the user.

CHABROW: Why would it take some type of regulation or law to do this? Wouldn't the market do this on its own?

HUNTER: Markets don't seem to have done it on their own so far. The progression in consequences for the public of failures in IT has been climbing pretty steadily and rather steeply in the last few years. You might remember that in 2001, when a rouge employee at a company based in Long Island stole 35,000 identities from one of the major credit check companies, Equifax I think it was, using a Ford Motor Co. access code, that was a record. Thirty-five thousand identities were stolen.

In December 2006, TJX Inc. announced that 94 million credit card numbers had been stolen from them. That number was then increased to 104 million. From 35,000 to 104 million in the space of six years is a pretty steep trajectory and there is no reason to suspect that we are near the end of the trajectory.

Indeed, as information technology becomes more and more deeply imbedded in the fabric of society, there is no reason to believe that the consequences of IT failures will lessen over time.

CHABROW: Is this going to because government is among the biggest users of technology?

HUNTER: Government status as a big user of technology is one factor. Certainly, when you think about the fact that the Department of Defense in the field and in the office is using off-the-shelf software, you need to think about the potential consequences of failure there.

It is more likely that government will take action because of its concern over the increasing influence of IT on the quality of daily life. There is a trajectory that industries tend to follow when an industry is extremely successful. That is to say when an industry succeeds in moving its products and services right into the heart of daily life, regulating tends to follow.

In the 20th century, we saw the Food and Drug Administration, we saw regulation of telecom, we saw regulation of the airline industry, we saw regulation of the automobile industry. I think that the information technology industry has been extraordinarily successful in the last 40 to 50 years in increasing the importance of its products and services to almost every aspect of modern life. What usually happens in any industry when you reach that level of importance in society is that regulation takes place.

CHABROW: Does this kind of regulation impede innovation?

HUNTER: That is an excellent question. I guess the short answer is yes. It is difficult to foresee a meaningful regulated scenario in which innovation does not slow down.

Let's take one of the obvious consequences of regulation, for a start. In any kind of a scenario in which clinical trials or the equivalent of clinical trials were required of the people producing software for public consumption, the open source movement runs up against a very significant brick wall. It is difficult to see where the resources will come from to support the many thousands of developers who are now important contributors to the open source movement.

It is less difficult to see where the resources will come from in the case of major companies such as a Microsoft or an Oracle. They have the resources to fund clinical trials, but independent software companies, start ups, the many thousands of independents who produce products for the open source movement, all of these I think would be dramatically affected by a meaningful regulatory regime.

CHABROW: Do regulations have an impact on cybersecurity?

HUNTER: Absolutely. The current administration and its representatives have made no bones about the fact that they are indeed concerned about cybersecurity. President Obama made reference in one of his speeches to an unnamed European city that was subjected to cyber attacks on its infrastructure, including its electrical infrastructure and so on. There is no question that the administration has been extremely vocal about cybersecurity threats. It is possible to interpret that stream of conversation as the build up to proposed legislation for regulation.

CHABROW: How soon do you see this coming about?

HUNTER: We anticipate that it is going to take a while to put a really meaningful regime in place. I would anticipate something in the 2012 to 2015 timeframe, probably tending toward the latter, because like I said, this is complex. It is not more complex than pharmaceuticals, and the government has been regulating pharmaceuticals for quite some time. I don't think you can argue that what software does is more complex than what a chemical does in somebody's body. But certainly regulating IT products and services for quality and for security is a fairly complex issue. It is difficult to be precise about this. It is like what Hemingway said about failure, it happens slowly and then all at once.

I anticipate that we will see a continuing drumbeat coming from public representatives leaning toward an environment in which regulation is a possibility and then something occurs to push it over the edge and you have got regulation.

Many software vendors are already practicing the kinds of things that would be required in a regulatory regime. They already have multi-step processes for assuring quality and functionality in the products they make. Certainly many large service providers, including many offshore service providers, have reached that level of quality assurance in their processes.

The organizations that need to think most carefully about how they would operate in this kind of regime are end-user IT organizations who processes are not as strong as many vendors. These organizations need to think carefully about what they need to do in order to be able to meet requirements and not just to create quality products and services, but also to demonstrate that they have done so.

As one of my clients put it to me, this is something like Sarbanes-Oxley for IT. IT organizations, end-user organizations in particular, need to think now about how they would operate in that kind of environment.


About the Author

Eric Chabrow

Eric Chabrow

Retired Executive Editor, GovInfoSecurity

Chabrow, who retired at the end of 2017, hosted and produced the semi-weekly podcast ISMG Security Report and oversaw ISMG's GovInfoSecurity and InfoRiskToday. He's a veteran multimedia journalist who has covered information technology, government and business.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing govinfosecurity.com, you agree to our use of cookies.