Firms – or rather the managers of firms – always like to externalise their costs (a polite way of saying ‘let someone else pick them up’) but you can understand them bitching about this ideaÂ (from the US Senate, via Bloomberg Businessweek) when the costs are questionable, at best.
Two of the largest U.S. business- lobbying groups criticized a Senate cybersecurity bill aimed at shielding vital computer networks, saying the measure would burden companies with unneeded and costly regulation.
The bipartisan legislation introduced yesterday calls for the U.S. Homeland Security Department to identify systems critical to national and economic security and set security rules for overseeing companies and government agencies.
The aims of course sound entirely reasonable – legislative aims usually do. Â As set out in the article, even the key provisions sound sensible:
Under the legislation, the Homeland Security Department would have the power to identify systems that may cause mass casualties or catastrophic economic damage when attacked. The agency would set regulations requiring operators of critical networks to improve security. Companies would have to show that their networks are secure or face penalties.
Well, they were sensible until that last line.
Companies would have to show that their networks are secure or face penalties.
Wielding a big stick is absolutely the right answer to some questions but it is not the right answer to every question. Â And it absolutely cannot be the right answer if the question is ‘how do I make my network secure?’
It is not just that there is no such thing as a completely secure network, which no amount of hitting is going to change. Â It is that hitting/penalising people encourages them – perfectly rationally – to adopt a herding or flocking view where, ‘they can’t hit all of us if we all act the same way’.
To ensure they act the same way, rules are created for everyone to follow and following the rules becomes more important than the original objective for which the rules were established.
And, as my Father-in-Law never stops telling me:
Rules are made for the guidance of wise people and the obedience of fools.
We all, clearly, want networks to be as secure as possible – certainly those capable of causing “mass casualties or catastrophic economic damage when attacked” – butÂ you can’t impose anÂ unattainableÂ standard of security (complete security) by fear. Â All you end up with is bright people managing security foolishly because it is safer (personally) than doing it wisely.
What does it say about legislators, that they think in terms of hitting? Â A question for another day…