Congress has become impatient with the perceived lack of progress by industry, said Michael O'Neill, a partner with lobbyist firm Preston Gates Rouvelas Ellis & Meeds, adding that government-mandated security guidelines may be coming.
"Help yourselves," O'Neill told industry representatives at Microsoft's security forum. "Fix security soon, or Washington will do it for you." O'Neill represents the pro-encryption tech-industry group Americans for Computer Privacy.
Government regulation has always been a big fear of the technology industry. Under the Clinton administration, the Federal Trade Commission looked ready to step in to regulate companies' data-collection practices to guarantee baseline privacy for consumers. The Bush administration, however, has seemed to favor a more hands-off approach.
"The case has not been adequately made for regulation," Mozelle Thompson, one of five commissioners with the FTC, said during a morning keynote address in which he called for the public and private sectors to collaborate.
But Internet security affects more than consumers. Business and government data are also at risk, and that could lead to more pressure to legislate, O'Neill said, especially if terrorists use the Internet to conduct attacks.
"Internet regulation is likely," he said. "Sooner or later, unless more effort is put into computer security by industry, Congress is going to want action on security. Not because it might be effective, but because they need to do something."
Even before the Sept. 11 attacks, lawmakers were sounding out legislation with an aim to better secure the Internet. Sen. Ernest F. Hollings, a South Carolina Democrat and author of the controversial Security Systems Standards and Certification Act, has repeatedly warned that Congress may take a hand in security.
Yet many Internet industry representatives believe the government is not ready to consider regulation.
The issue is too complex right now to be legislated, said Tatiana Gau, senior vice president for integrity assurance at AOL Time Warner and a conference attendee.
"It is less clear right now what are good baseline standards for security," she said. "And the bar is going to constantly shift." Any legislation that attempted to create a standard for security would be outdated before it reached the president's desk, she added.
"People said privacy regulations were imminent a few years ago," Gau said. "And self regulation has shown that industry can be responsible about protecting itself and consumers."
Almost 200 industry representatives, policy-makers and security experts are meeting at Microsoft's Trusted Computing conference this week.