Telecommunications companies want President Barack Obama’s administration to rethink a decision that may exempt Google Inc. (GOOG)’s Gmail, Apple Inc. (AAPL)’s iPhone software and Microsoft Corp.’s Windows from an executive order on cybersecurity.
Obama’s Feb. 12 order says the government can’t designate “commercial information technology products or consumer information technology services” as critical U.S. infrastructure targeted for voluntary computer security standards.
“If e-mail went away this afternoon, we would all come to a stop,” said Marcus Sachs, vice president of national security policy at Verizon Communications Inc. (VZ), the second-largest U.S. phone company. “Hell yeah, e-mail is critical.”
Technologies used in personal computers, software and the Internet “are the lifeblood of cyberspace,” Sachs said. “If you exclude that right up front, you take off the table the very people who are creating the products and services that are vulnerable.”
Obama’s order is aimed at areas such as power grids, telecommunications and pipelines. The goal is to protect “systems and assets whose incapacitation from a cyber incident would have catastrophic national security and economic consequences,” White House spokeswoman Caitlin Hayden said in an e-mail. “It is not about Netflix, Twitter, Facebook, and Snapchat.”
Cybersecurity and CNI / Critical National Infrastructure is all about government projects and regulatory power-grabs, and what’s worse is that there is bucket-of-crabs thinking amongst the industry:
Telecommunications and cable companies don’t want to face regulatory burdens and costs that aren’t shared by technology companies, David Kaut, a Washington-based analyst with Stifel Nicolaus & Co., said in an interview.
“The telecom community is concerned the tech industry is going to get a free pass here,” Kaut said. “You have an ecosystem and only the network guys are going to get submitted to government scrutiny.”
“Cybersecurity” of non-state-owned infrastructure should be devolved to the responsible organisations in terms of a service-level agreement, or it should be entirely abandoned as a state responsibility; I somewhat agree with the boys at Veracode when they write:
there’s a role for government oversight of issues like software security (maybe we should start calling it “software safety”) that doesn’t extend to having the government tell Microsoft how to build its operating system – or even how to secure it. The Federal Aviation Administration doesn’t tell Boeing how to build jetliners. It does set stringent standards for how those jet liners have to perform in both typical and adverse circumstances. The result: incidents of equipment malfunction stemming from poor design or deployment are extremely rare. Serious accidents stemming from such failures are even more rare.
…but I believe that comparing software lifecycles to aircraft engineering will only lead discussion astray; at some levels of computing today is about trying to put reliable service atop unreliable hardware and although there are odd failures I’d suggest that by and large we’re successful when we’re at scale. Comparably the aircraft industry is not about launching three aircraft at a destination and expecting at least one to turn up.
Just wait, though; someone will try to get it back on the agenda. Probably a major software vendor who wants to stop Government agencies adopting open source.