Software Industry Battles the Regulators

The software industry is, once again, under attack from a handful of vocal, influential people. This time around, the vociferous critics claim flaws in software products allow criminals to exploit the software to their own ends.

While the rhetoric makes for good headlines, it tells only part of the story. Unfortunately, some members of Congress are buying into the rhetoric, and Congressional hearings will be held in the next month or two on alleged software vulnerabilities. The result could be catastrophic for one of the country’s most innovative and successful industries: Software companies could face regulation by the federal government, even legal liability if they do not produce flawless products.

The National Academy of Sciences has been one of the loudest critics of the industry. According to CIO Magazine, a panel of Academy representatives believes: "Congress should make it easier to punish companies that produce insecure software that puts business and consumers at risk." Perhaps even more worrisome is the push by the Air Force’s chief information officer to establish a set of government standards to regulate the software industry.

Another voice against the industry has been Rich Pethia, director of the Institute for Survivable Systems. According to Pethia, “... pressure is building around security issues and concerns over privacy. So the [regulatory] hands-off policy may be something they may want to revisit."

Won’t Solve the Problem

Most of the critics can point to only a few products from a couple of companies when making these remarks. Their comments, however, are aimed at a much broader agenda: to regulate the software industry.

But regulation, whether through legislation or litigation, won’t solve the problem, because it doesn’t address the real cause of security weaknesses. Worse, regulation will result in the loss of current benefits that software provides, and it will stifle the innovation necessary to produce better software in the future.

One of the biggest kinks in software security and operability is the user. All too often, consumers do not install or use software correctly. Law enforcement officials are routinely able to defeat even the most robust encryption software because of faulty installation or application by the user. There’s no need for law enforcement officials to take on the software directly (the “brute force” approach): They needn’t break down the software door, as it were, because users have left it open.

In the same way, criminals take advantage of user implementation “holes,” rather than searching for software development “holes.” This is a security issue that defies litigation or legislation.

Stifling Innovation

Software development is a complex process conducted in a rapidly changing business and technical environment. A government-designed regulatory review and approval process simply could not keep pace with the changes.

Regulation-by-litigation would be as bad. Fearing lawsuits unless their programming was “perfect,” software companies would stop producing new products. Only the largest would have pockets deep enough to risk new inventions. Consumers and producers would lose; only the trial lawyers would win, lining their pockets with the rewards of subdued innovation.

The ubiquity of computing has rapidly expanded the base of users—exposing, and sometimes causing, problems that were not problems when the user base was smaller and more sophisticated. Government agencies are not immune to these user issues. Indeed, they may be the last groups you’d want to trust with setting software standards and establishing rules for user implementation.

A Defense Department inspector general's report recently concluded the Air Force is posting security-sensitive information on many of its Web sites. The report showed the Air Force had 140 publicly accessible Web sites with "potentially inappropriate" information. Those sites displayed warnings such as "For Official Use Only" and "Secret" ... yet they were all accessible by the public. Moreover, the report found the Air Force—like civilian software users everywhere—had a process for removing sensitive data that "was not reliable."

Trust the Market

Software provides untold benefits, but it is not and never can be infallible. No one recognizes this better than the industry itself. The software industry is continually—and successfully—working to improve the quality, usability, and security of its products. This constant innovation, driven by the competitive marketplace, is what’s best for consumers and all citizens.

Regulation, by legislation or by litigation, would bring this natural evolutionary process to a grinding halt. The idea of money brought in by lawsuits or settlements may be appealing. Ham-handed federal government intervention may seem an instant panacea on the homeland security front. But these are not lasting solutions. Regulation of the IT industry, or of its software component, only mortgages the future of our economy ... and our security.

SIIA Comments on Consumer Protection in the Global Electronic Marketplace. Position paper issued by the Software & Information Industry Association, outlining its case for limited government intervention into e-commerce, the Internet, and other industry matters best addressed by consumers making decisions in a free, competitive marketplace. (Software & Information Industry Association, March 26, 1999, 3pp.)

Request PolicyBot document #7210101