Platt Perspective on Business and Technology

Information systems security and the ongoing consequences of always being reactive – 17: incentivizing more secure software and information systems

Posted in business and convergent technologies, social networking and business by Timothy Platt on May 20, 2013

This is my seventeenth installment to a series on the state of information systems security going into the second decade of the 21st century, and on challenges that will have to be addressed in moving forward from where we are now (see Ubiquitous Computing and Communications – everywhere all the time, postings 185-188 for Parts 1-4 and its continuation page, postings 189 and loosely following for Parts 5-16.)

I have been writing about reactive and proactive approaches to information and cyber security in this series, and about integrated and multi-level approaches to making these systems more agile and effective. And I have been writing here about approaches for making this work. But even where the approaches I suggest and others would offer real value, they cannot work if they are never tried and applied. Doing so would require incentivizing change, and I add removing some disincentives too. My goal for this posting is to at least begin a discussion of that, and I want to begin with the disincentives side of this set of issues, which in this case revolves around antitrust laws on the one hand, and the pressures of a highly competitive industry to thwart collaboration even when allowed on the other.

Antitrust laws, also called competition laws are formulated and enforced to prevent collaborative agreements between competitors that would artificially restrain trade and control consumer prices and access to marketplace choice. In principle at least any collaborative relationship or understanding between businesses in for example, the antivirus software arena, could at least potentially be seen as fitting that outlawed pattern. But it is recognized that if these computer and information security resources are to work at all and provide any benefit, they have to be based upon and updated according to the best and fullest of what is known about threats faced by all. And certain best practices frameworks of understanding are going to have to be collectively shared across the industry, as well as insight into the rapidly evolving nature of those threats collectively faced. So certain types of industry-wide organizations are allowed for and even encouraged – provided they meet certain basic requirements of openness and participatory inclusiveness. One that comes immediately to mind for me is The Open Web Application Security Project (OWASP).

But a shift from a more strictly reactive approach to information security to a more proactive paradigm of information and computer systems security, is going to call for new types of collaboration. The implications and requirements of this shift are going to have to be incorporated into the legal frameworks that limit and permit collaboration between competing for-profit businesses in these arenas. And as already noted in several contexts in this blog, the law is always reactive and when a field is rapidly changing, it can be significantly behind the curve and disconnected from addressing actual current needs and circumstances. It is a hallmark of information and cyber security that their challenges and priorities and the solutions they have to provide in response, change faster than any regulatory law ever could.

• So law regulating competition in this specific arena has to be open as far as specific technology or processes are concerned, and focus entirely on openness and inclusion of participation in any umbrella organizations involved, and on their transparency.
• But even if the law was perfectly in tune with industry and marketplace needs for this, competitive pressures in this marketplace all too often put a greater premium on pushing new products and services out the door, and less on providing the most robust possible security and risk management solutions. The pace and force of competition here effectively compels that.

I turn to address that set of challenges with a very specific working example from a very different industry in mind, that while different in detail might offer insight of value here too: organic food and more specifically, California’s legally defined standards as to what can be called organic food.

Words like natural, healthy and organic convey powerful messages when marketing food items, and credible claims that a food product offered is organic or that it is made entirely from organic ingredients, to pick up on that key word from that, increases its sales and profitability. So as a result, some businesses began using the word organic very loosely. Consumers in the state of California spoke up in response and got their legislators involved, and as a result California passed what at that time was the strictest set of guidelines in United States law as to what can be identified as being organic. This was seen as a truth in advertising and a consumer protection initiative, and this law: California’s Organic Foods Production Act of 1990 became the gold standard for regulating this area of the food industry. And that is where this story connects with the narratives of this posting and this series.

California is among other things one of the major producers of fruits, vegetables and other produce in the United States, so when growers there were restricted to only using the word organic when strict standards were adhered to, that had national and even international impact California produce is sold very widely. But perhaps more importantly for this discussion, California’s population is very large and in fact constitutes a significant market segment for essentially any wide sales distribution processed food manufactured essentially anywhere in the entire country. So when California law imposed very specific and precise accuracy requirements for calling a food organic, businesses that produced foods in other states and even in other countries noticed. The potential of losing this part of their market share forced a lot of businesses to rethink their ingredients and their production processes if they were to continue to use that word – remember here that if they had suddenly just taken “organic” off their labels that would have sent a clear message that they had been lying and that their foods were not as pure or as good as they had been claiming.

My point is that when a sufficiently large market segment or share of a customer base suddenly demands that some new standard be met and in specific ways, that puts real pressure on all prospective providers to meet those new standards, and for all of their intended customer base. Now consider how this applies to antivirus and related anti-malware software.

• If even just a few key, high purchase volume state governments and a few major corporations were to suddenly demand that a new collectively agreed to higher standard be met for information and computer systems security, as a threshold requirement before any of them would consider purchasing a given product or service, every major information and computer security provider would in effect be forced to meet that new standard and for all of their customers, everywhere.
• To clarify that last point here, they would need to meet those new standards for this market segment to keep its business. And they couldn’t very well tell the rest of the world “we sell software and other products that really works to our larger and more demanding customers …and we sell our old design-paradigm stuff to everyone else.”
• Other customers would, of course, begin demanding that this new standard be met for them too.
• An organized consumer base that only collectively included a significant minority of the overall market could begin this process and in effect force this industry to meet higher standards for all.

Antitrust and competition laws limit and control producer collaborations and the prospect of producer collusion and marketplace manipulation. They do not address or seek to address consumer-side collaboration or the development of consumer-side standards that would have to be met by any successful vendor or provider. A “consumer-side trade group” could in effect force all significant participants on the producer and seller side of this to uniformly meet and adhere to newly defined minimal standards and even to new types of standards.

• If governmental and other major purchasers required that the software and systems they acquire be secure, and according to a specific robust standard as to what that means, that would incentivize all software manufacturers and other IT systems, products and services providers to build and maintain to that higher standard.

You can find this and related information security-related postings at Ubiquitous Computing and Communications – everywhere all the time and its continuation page, and at Social Networking and Business.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: