It gets regulated.
Think of civil engineering, said Hunt, during a session on the coming of regulation on the IT industry on Monday at Gartner Symposium/ITxpo here. Civil engineering was pretty slap-happy until the late 1800s, when loads carried by bridges went up—a lot. Suddenly, railroads and big machinery were everywhere, and suddenly, ad hoc approaches to putting up bridges started to fail, and people started to get hurt.
So it became a licensed profession, and people who put up bridges had to have something more than just an idea that theyd like to put a bridge in a certain place.
ITs going down the same road, Hunt predicted. Up until now, the youthful industry has escaped regulation, even though software flaws and security vulnerabilities have created serious damage from malicious users and, in isolated cases, have even caused death.
Because of a tremendous surge in lobbying by the IT industry over the last few years, the political class is now very aware that IT is out there. Hunt said that some Attorneys General have said privately that theyre looking at the IT industry as "the next tobacco."
"They see potential for significant class action suits on behalf of citizens of their states," he said.
An example of IT failure that could have resulted in class action against the industry can be seen in the widespread electric outages of summer 2003. Software failures were implicated in some local failures that were then linked to the larger outage.
Likewise, between 2001 and 2004 we faced a "never-ending rush of malicious software, all of which could be traced to one vendors failure in software," Hunt said.
"I expect the vendor in question understood they were facing a potentially life-threatening situation," he said. "Microsoft—oops, I named them—spent $100 million in the first six months of its Trustworthy Computing Initiative, and the quality and reliability of products did improve over the next 24-36 months."
At this point, liability clauses exist, but financial liability is usually contractually capped at the total value of the product or service—a trivial amount, given that business damage from IT failure may now exceed a business annual IT expenditures by orders or magnitude, Hunt said.
"Its like buying a bottle of snake oil that killed me, but I can only sue you for the $3 I spent on the snake oil," he said.
What will be the tipping point for government to step in and start regulating IT the same as it does any other vital service or utility?
A medley of factors will determine whether IT becomes regulated or can manage to self-regulate itself, Hunt said, including diminishing public confidence in IT, executive concern, danger to national security, court action, vendor resistance to standards, and inertia in the installed base for shaky technologies.