Time to regulate the software industry?

With flaws providing an open door to viruses and worms, industry observers debate imposing rules on software companies.

SAN FRANCISCO--A panel of security experts on Wednesday debated the merits of regulating the software industry as a way to curtail software flaws--and hence reduce the volume of virus attacks.

With software flaws serving as the open door to viruses and worms, a panel of industry experts at the RSA Conference here pondered whether it's time to regulate software companies. The experts were mixed on the effectiveness of such a plan and whether it could be undertaken without crimping innovation.

"The issue is not to regulate or not," said Harris Miller, president of the Information Technology Association of America. "Our industry is all about innovation, and my concern with regulation is it's often the enemy of innovation."

In that same vein, Rick White, chief executive of technology advocacy group TechNet, said the industry should come together and develop guidelines for best practices on developing software with minimal flaws, rather than imposing regulations.

"Congress will never solve the problem as well as the people who work in the industry," said White, a former congressman from Washington state.

But other panelists were not as sure.

Dick Clarke, chairman of Good Harbor Consulting and former presidential special adviser on cybersecurity, noted that efforts to have industries develop guidelines and follow through have failed in the past. For instance, Internet service providers did not adhere to self-imposed principles, even after Michael Powell, head of the Federal Communications Commission, threatened to regulate their industry if they did not abide by those guidelines, Clarke said.

"Powell bluffed them. They knew it, and now he is leaving office," Clarke said.

Other panelists, such as encryption expert and author Bruce Schneier, also called for more action in prompting software vendors to vet through their code before releasing it to the market.

"If we make it in their best interest to do this, then it will happen. You need to find a set of financial incentives," Schneier said. "Regulations would increase the cost of not doing security, and that would increase security (testing)."

Companies that take the time to test the security of their software before releasing it are at a disadvantage because of higher costs and potential late arrival to the market, he said.

Additional financial incentives may come from customers demanding a certain level of security testing from a vendor, before agreeing to sign a contract to purchase their products, Schneier said.

In offering a post-Sept. 11, 2001, warning, Clarke said: "Regulation is neither good nor bad...but the industry should bear this in mind. After we have an incident, regulations will be much worse."