IT Resists Mandatory Cyber-Security

Top IT industry execs say feds should promote security through its purchasing power rather than through mandates.

As the Bush Administration prepares to release the National Strategy to Secure Cyberspace, the IT industry continues to resist efforts to include technology mandates or regulations. Not all members of the nations critical infrastructure sectors are equally resistant to the federal government dictating standards, however.

This afternoon, the Presidents advisor on cyberspace, Richard Clarke, heard from top-level IT industry executives, who emphasized that the government should promote security through its purchasing power rather than through mandates. Thirty chief executives from all critical infrastructure sectors make up the National Infrastructure Advisory Council, which is providing suggestions on the strategy.

"When its all said and done, the government has a huge, huge lever in its purchasing power," John Thompson, chairman and CEO of Symantec Corp., said in a teleconference with the advisory group today. "We should encourage the government to settle on a set of standards for their own use, but not dictate a set of standards."

Other industries, such as banking, have benefited from regulation, and some members of the advisory group want to ensure that the strategy does not preclude further beneficial mandates in those sectors. George Martinez, chairman of Sterling Bank and Sterling Bancshares Inc., said that banking regulations have spurred necessary investments and that they could be expanded to include security.

Law enforcement also has been a proponent of a more stringent federal approach to security. During todays teleconference, Gilbert Gallegos, chief of police in Albuquerque, N.M., said that mandatory security testing could help determine whether flaws exist in products before problems arise.

Long accustomed to little oversight from Washington, the IT sector is eager to ensure that it does not fall under a regime similar to banking or other highly regulated industries, however.

John Chambers, president and CEO of Cisco Systems Inc., said that regulations such as mandatory testing retard IT innovation and that the strategy should not recommend mandatory testing.

Information-sharing is another major focus of the cyber-strategy, and IT companies are also leery of government-mandated standards with regard to system interoperability.

Margaret Grayson, president and CEO of V-ONE Corp., suggested that that the information-sharing provisions of the strategy should be strengthened with interoperability requirements, but that idea was rejected.

Chambers, who serves as vice chairman of the NIAC, said that to encourage open standards is the right message, but that forced interoperability among a large number of companies is practically unenforceable and an impossible burden on small companies.