Microsoft has called on governments to take a more active role in all areas of information security, from the teaching of computing to the implementation of new legislation. The software giant wants more clearly defined roles for the public and private sectors, as well as a reform of funding, compliance and certification.
"Government clearly needs to be involved in security, but the difficulty has been identifying the right roles," said Scott Charney, Microsoft's chief security advisor at the Microsoft IT Forum in Copenhagen. "In the mid-90s, the government would go to industry and say 'we don't want to regulate, we want to partner.' And industry agreed, but I don't think we [Charney was working for the US government at the time] did a good job of defining the roles."
Since 9/11, said Charney, there have been increasing calls for regulation. "But if they regulated us today, what would they ask us to do that's commercially viable and we're not already doing? The time to do that kind of regulation was ten years ago," he said.
And even in areas where government has stepped in, such as corporate governance, the results are vague, he said. "Gramm-Leach Bliley and HIPAA require 'reasonable security', but the dilemma is what constitutes 'reasonable'. It's very hard in security. You can't put something in and say 'I'm not going to get hacked.' It's very hard to quantify the risk-benefit analysis for security."
Microsoft is also recommending reform of federal funding for education by using the same strong-arm approach used to enforce speed limits. "When the government wanted drivers to slow down, they got the states [which control the speed limits] to do it by tying it to federal highway funds – if you wanted funds, you set the limit to 55. So I've been starting to talk to legislators and saying 'Look, you give a lot of money to academic institutions. If that is earmarked for computer science or engineering, require them, as a condition of getting the money, to teach trustworthy computing elements – security, privacy and reliability – so that when they come out of school we don't have to hire someone who doesn't even have the foundation."
Finally, Microsoft would like to see certification such as Common Criteria streamlined for the modern market.
Charney wants three areas reformed: the speed at which products are certified; the cost; and a requirement that candidate firms demonstrate internal processes to reduce vulnerabilities.
Should the government step in? Write to firstname.lastname@example.org