Scott Charney: Playing with the Rules

The R-word, regulation, has long been anathema to technology vendors. But the worsening state of information security coupled with the heightened stakes in a post-9/11 world have made it a hot topic. Last spring, the National Cyber Security Partnership Task Force produced a report, cosigned by government officials, private-sector representatives and vendors such as Microsoft, that suggested, in certain cases, regulation may be needed to improve information security.

One member of that team was Scott Charney, chief security strategist of Microsoft. Charney has served in the public sector and the private sector, and he brings a unique perspective to the issue. CSO spoke with him about the dreaded R-word.CSO: Where and when do you think regs are appropriate?Scott Charney: There are some who think, philosophically, that virtually any government intervention is bad. I think we need to look more carefully at the actual problem and proposed solution. Having spent 19 years in government, I know that certain statutory and regulatory actions may be very helpful to solving a problem. That said, some conditions must be met.What conditions?Regulation is appropriate if: 1. There is a clearly defined problem. 2. Market forces have failed or are failing. 3. The regulatory approach will solve the problem in a cost-effective way and more efficiently than other methodsfor example, R&D. 4. The regulation is neither overinclusive (covering things that are unintended) or underinclusive (leaving too much of the problem unaddressed). Some efforts to limit pornography, spam or spyware have not been crafted carefully enough. 5. The regulation is technology-neutral and does not skewer the market. 6. The regulation does not lock in technology, and reduce or eliminate needed innovation.What are the benefits and pitfalls of regulation?One problem is that regulations take a long time to promulgate and, once promulgated, are etched in stone. For example, most of the commercial world moved off Data Encryption Standard (which was no longer secure) long before the National Institute of Standards and Technology promulgated the Advanced Encryption Standard.

Another challenge is that the field is evolving very rapidly. Saying “thou shall be secure” does not give people enough guidance to be actionable. (Put another way, it is unfairand perhaps unconstitutionalto hold people responsible when the required or prohibited conduct is not clearly defined.)

At the other end of the spectrum, saying something specific like “you shall have a firewall” locks everyone into firewall technologies even if they’re overtaken by something newfor example, behavior blocking. What has your government experience taught you?I have learned that it is hard to say what you mean. You may know good or bad conduct when you see it, but articulating the appropriate standard can be very, very difficult.Can you give an example?Take spyware. How does one define it? If you say, “Spyware is any software that collects personally identifiable information” (PII), it is at once too broad (some information may be collected with consent) and too narrow (software that silently alters your settings without notice or consent should be deemed spyware even though no PII is collected).

So let’s try another definition: “Spyware is any software that alters settings or collects PII without notice and consent.” But then, what if the spyware captures your keystrokes and stores them for later retrieval? Most would say this is spyware, but it still does not fall within the definition unless you happen to be typing in PII.

Moreover, what does it mean to give notice? Does it mean every component of an OS or application needs to notify the user whenever a setting is changed? Does notice have to be given every time the software is used? Or is once enough?

It gets difficult quickly.