I'm not cheerleading for the CISA pledge
Infosec regulation is inevitable. But it's coming before anyone had a chance to figure out the rules of the craft.
Earlier this week, the Cybersecurity & Infrastructure Security Agency (CISA) announced that 68 tech companies — notably including heavyweights such as Google and Microsoft — signed the agency’s voluntary information security pledge. The pledge compels the signatories to pursue a number of security improvements, from enabling two-factor authentication to rooting out memory-unsafe languages in the enterprise.
Many industry commentators applauded the move. It’s not hard to see why: by and large, the agency’s prescriptions make sense. The math for the signatories is also clear. The cost of the commitment is minimal: many are already compliant, or had plans to get there either way. The companies see the benefits of pointing their vendors and partners to a government-backed benchmark instead of ad-hoc requirements. But above all, they must see the writing on the wall: security regulation is coming. A show of good will gives them a seat at the table when the regulators decide to pounce.
As it happens, that last part is also the crux of my concern: the pledge must be viewed as a prelude to regulation. Many in my industry are rooting for this; they want strict liability for software vendors, they’d like to see professional licensing, and they’d love blanket bans or mandates for specific tech. The argument is simple: if the finance industry can thrive in the face of expansive regulation, so can Big Tech.
I don’t have any special issue with CISA banning default passwords. My worry is that regulation inevitably begets more regulation: few government bureaucracies wind down after accomplishing their original goals. An ever-growing army of regulators in charge of your industry means that you need an army of lawyers and lobbyists on your payroll just to be able to do the right thing.
But to not dwell on abstract ideological arguments: imagine that the government decided to drop the hammer on information security earlier on, perhaps circa 2000. Would it have been good if we enshrined the prevailing security sensibilities and engineering practices of the era in law? Or made it much riskier to build products if you weren’t Yahoo or Aol?
Most other heavily-regulated professions had far more time to evolve — and peak! — before the government swooped in. I don’t think we can stop the regulation of software engineering, and I understand the arguments in favor of it. I also think highly of the folks at CISA. But I think there are downsides, and I don’t want to be on the cheerleading squad.
I don't have a problem with anodyne pledges not to commit well understood vulnerabilities... but if that's all that "secure by design" means, then this is just posturing. To me, the important discussion is around who should decide what "secure" means. Of the possible candidates, I think government is pretty close to last. IMO they should stick to forcing organization to be transparent and letting the market sort it out.
Sadly, “regulations” will inevitably be twisted to tip the playing field in favor of the established, moneyed players. No body of regulation ever made it easier for new entrants to compete. This may signal the beginning of the end of software innovation: universal Windows-ification.