Wither the Security Lobby?

A number of industries spend millions of dollars to lobby lawmakers in order to protect their interests in cyberspace. Software is protected by copyright, making it illegal to make or distribute unauthorized copies; content providers have the DMCA, which makes it a crime to circumvent copyright protection mechanisms; efforts like SOPA, PIPA and CISPA are only the most recent attempts to impose security standards on things-cyber. But there is no security lobby analogous to the lobbies that support the software or entertainment industries. What we have is the security industry, which is doing the opposite of what a security lobby would do. The last several years has seen a record number of cyber security bills submitted to Congress, and record spending on cyber security in the form of the CNCI, yet I am confident that it will never be illegal to make vulnerable software, industrial control systems, etc. Fixing exploitable system flaws and cleaning up the mess left over after a flawed system is compromised is a billion-dollar industry. Lobbying for secure software or systems would put the security industry out of business.

Regulation such as HIPAA, FIMSA and GLBA are what the industry likes; efforts focused on making sure obvious things that may lead to a compromise are noted and their risk accepted, not fixing underlying problems. Fixing problems is hard; checking boxes is easy. The government has no problem enforcing regulations, but the only solutions they have that scale are viewed through the lens of armed conflict. So many in security are carrying – or trying to sell – a hammer when the problems at hand require a wrench.

Vendors put back doors in their systems for legitimate maintenance and support activities, not because they are anti-security. Not making things easy to fix is bad for business. Security people blame vendors for not doing the secure thing (and vendors could in fact build better back doors), but there is only money in security because vendors are responding to market forces. Software or control systems built from the ground-up to be secure would have to be sold at a premium price in order to make it worthwhile from a business perspective. People demand functionality, not security.

Cyber security experts talk about how much safer cyberspace would be if only people would just listen to them. These tiresomely repetitive, self-indulgent and often hypocritical tirades echo in a chamber that is detached from reality. Almost none of them will ever speak of a rice-bowl-breaking scenario that would in fact make things more secure, but at the same time put them out of business. Everyone is for security until they miss a boat payment.

As long as there is money to be made there will never be a true security lobby. Why, when multi-million dollar impacts are painlessly absorbed by consumers – who don’t have a lobby – in penny increases in fees here, five-cent price increase there. Ordinary people forget about even the most massive breaches over time, and most hacked businesses suffer no long-term ill effects. Commerce drives the Internet, and as long as commercial concerns see no up-side to having true cyber security, a security lobby would have a Sisyphean task trying to get the government to mandate it.