Do Federal Security Regulations Help?
This essay appeared as part of a point-counterpoint with Marcus Ranum.
Regulation is all about economics. Here's the theory. In a capitalist system, companies make decisions based on their own self-interest. This isn't a bad thing; it's actually a very good thing. We don't want companies to act as public charities; we want them to act as for-profit entities. But there are often effects of company decisions that are not borne by the companies; these are known as “externalities” to the decision. Companies aren't going to take externalities into account, because, well, because they're someone else's problem. If we as a society want externalities to factor into company decisions, then we have to make those externalities internal. Once we do that, the natural engine of capitalism will take over.
I'll give you an easy example. Company pollutes the river, people downstream die. No one in the company lives downstream, no company customer lives downstream, so the company doesn't care. It's a classic externality. If society wants the company not to pollute the river, it has to remove the externality. Liabilities (allowing the people who live downstream to sue) and regulation (making it illegal to pollute the river) both do that. They raise the cost of polluting the river, so a rational company will spend more money so as to not pollute the river.
What does this have to do with computer security? Everything. If ChoicePoint has lousy security and someone steals our identity information, we are harmed. But to ChoicePoint, it's an externality. ChoicePoint isn't a charity, and it's not going to improve its security out of the goodness of its heart. If we want ChoicePoint to protect our data, we're going to have to force them. We need to raise the cost of their having lousy security, so it'll be cheaper for them to have good security.
At least, that's the idea behind regulation. Unfortunately, reality isn't nearly as simple as the theory. When you're talking about regulation, the devil is in the details.
Take the various disclosure laws. On the face of them, they're smart regulation. By forcing companies to make data breaches public, we're raising the cost of those breaches. Unfortunately, a lot of that cost was in public shaming; the press would write bad stories about companies that lost personal data. But as more and more companies lose data, the press becomes less interested in writing those stories – and the public shaming diminishes. Good idea, but temporary.
Or take Sarbanes-Oxley. I've read the law, and I'm not exactly sure how it pertains to computer security. But everyone seems to think it does, and companies have poured all sorts of money into computer security: the cost is still cheaper than the potential liability. Some of this money has gone into actual computer security, but most of it has gone to large auditing firms that produce reports that are only useful to defend against liability claims. Sort of a good idea, but very expensive for what you get.
A much better example is the credit card law that limits personal liability for fraud to $50. Before the law, credit card losses were an externality to credit card companies, so they didn't do all that much to improve security. After the law, we got online verification terminals, systems for card activation, data-mining systems to detect fraudulent spending patterns, and so on. Great idea, and one that significantly improved security.
So what are the characteristics of good regulations? One, they're targeted at a specific externality. There's no point in passing a regulation requiring a company to secure its own assets; normal economics will take care of that.
Two, the penalties are large enough to make the alternative more attractive. Otherwise, they're worthless.
Three, they're focused results, not technology. Don't pass a regulation requiring this brand of firewall or that default configuration setting. A good regulation says that if anyone breaches your network and uses it to send spam, you're not in compliance. How you prevent this attack is your business. This kind of regulation stimulates the marketplace to solve the problem better and more cheaply.
And four, they put the entity that has the ability to fix a security problem in charge of the security problem. It's useless to pass a regulation requiring individuals to secure themselves against identity theft; the real problem is with the banks and the credit card companies.
Do federal security regulations help? They can if written well, but unfortunately that's the exception. Which is why I tend to prefer liability as the mechanism to reduce externalities instead of regulation.