Microsoft is calling on the government to take a firm hand in all areas of information security, from the teaching of computing to the implementation of new legislation. The software giant wants more clearly defined roles for public and private sector, as well as wanting a reform of funding, compliance and certification.
"Government clearly needs to be involved in security, but the difficulty has been identifying the right roles," said Scott Charney, Microsoft's chief security advisor, at the Microsoft IT Forum in Copenhagen.
"In the mid-90s, the government would go to industry and say 'we don't want to regulate, we want to partner.' And industry agreed, but I don't think we [Charney was working for the government at the time] did a good job of defining the roles."
Since 9/11, Charney said, there have been increasing calls for regulation. "But if they regulated us today, what would they ask us to do that's commercially viable and we're not already doing? The time to do that kind of regulation was ten years ago."
And even in areas where government has stepped in, such as corporate governance, the results are vague, Charney said. "Gramm-Leach Bliley and HIPAA require 'reasonable security', but the dilemma is what constitutes 'reasonable'. It's very hard in security. You can't put something in and say 'I'm not going to get hacked.' And what's the ROI on an intrusion detection system? It's very hard to quantify the risk-benefit analysis for security."
Microsoft is also recommending reform of federal funding for education by using the strong-arm approach used to enforce speed limits.
Charney also added that he believes academic institutions should be able to teach security as part of a computer science or engineering.