Regulation, Liability, and Computer Security
For a couple of years I have been arguing that liability is a way to solve the economic problems underlying our computer security problems. At the RSA conference this year, I was on a panel on that very topic.
This essay argues that regulation, not liability, is the correct way to solve the underlying economic problems, using the analogy of high-pressure steam engines in the 1800s.
Definitely worth thinking about some more.
Davi Ottenheimer • February 25, 2005 12:20 PM
Bruce, panels are great but perhaps you will find more traction in open venues such as the Secure Software forum where the (large) audience can participate and help set the tone for the group the panel is meant to represent.
Thanks for the link. A very thoughtful essay. I think this quote boils the problem down nicely:
“Most designs for engines and safety features were based on the assumption that owners and operators would behave rationally, conscientiously, and capably. But operators and maintainers were poorly trained, and economic incentives existed to override the safety devices in order to get more work done. Owners and operators had little understanding of the workings of the engine and the limits of its operation.”
Perhaps ss a fitting example of Microsoft’s mockery of the seriousness of this point, the Microsoft Certified Systems Engineer program has always been widely regarded to be a marketing/revenue system, which has absolutely nothing to do with real training or understanding the workings of distributed systems and their security. Twelve year olds were being awarded MCSEs in the late 1990s…
Also, note that the article claims it took over 120 years, thousands of deaths, and millions in damages before regulation started to appear at the turn of the century. Watt’s astute warnings in the 1870s did not create the market for safer boilers — extensive death and destruction did.
Why are we predisposed to wait for a major disaster before we start regulating? “Predictable Surprises” by Bazerman and Watkins, 2004, have a pretty good answer. They claim the following general characteristics of predictable surprises:
And last, but not least, a small but vocal minority benefits from inaction and is motivated to lobby for its private gain
So based on the lesson of Steam Engines, and the theory of predictible disasters, I figure we could have as many as ten to twenty years (with many more ChoicePoint fiascos to come) before the general public will force regulation from Int’l leadership. That is unless elected officials and public figures such as yourself start actively pushing for real regulation right now. Thank you California.
Is Counterpane ready to make bold statements like Watt did to help advance the industry? Without active pressure from experts for safer boilers, steam engines might have suffered a much greater public backlash that would have stopped progress altogether…we already see reports wondering about a serious slowdown in people willing to use the Internet for commerce.
Bruce, it is not clear what you see as your role in all this but I hope you accelerate your work with legislators on regulation and campaign widely for federal adoption. And the next time you run into public figures like Howard Schmidt, please remind him that he is actually “pro-regulation” when he says that we need fair and balanced laws.