Earlier I said I was looking forward to hearing the law enforcement vision of the USSS to stamp-out cyber crime…. Didn’t get to (although I hear it was meaningfully robust). Instead I spent time on spyware.
Spyware was discussed a lot at RSA. We announced that as part of our Adaptive Threat Defense next phase of the Self Defending Network, anti-spyware is covered (part of our Anti-X initiative, where X is spyware, DDoS, malware, other things you want to stop), Microsoft announced that it was providing anti-spyware (from their Giant acquire) on the desk top at no additional charge, and pretty much all the AV vendors had booths at the show explaining what they assured us were their very effective new anti-spyware technologies. This lines-up with AOL and other ISPs adding anti-spyware into their service for no or little additional fee. Lots of market action here.
Proposed spyware bills try aim to stop bad actors from doing devious things with spyware. The challenge has been how to define and stop the problem without chilling innovation. I previously have talked about our position on spyware on a VOD The problem is of course difficult in part because bad actors may be overseas, do spoof their identity, and may be unlikely to stop. Law enforcement here is key. Unintended consequences can have non-trivial effects, and we need to make sure that as people look for legislative approaches, we don’t inadvertently chill current and future innovations in things like network management, maintenance, security, and other areas that make the Internet and enterprise networks efficient, productive, global, safe, secure, and robust. Networks are becoming fully interactive, passing instructions and information constantly to maximize utility, quality of service, and function. These are good things…. Not spyware…. The work on these issues needs to continue….
Even though I didn’t get to hear the USSS tell us about the next Elliot Ness, earlier I did hear a raucous discussion about regulation and security — the RSA company wanted to have people with very different views – and they were there. I have previously talked about security policy, both in text and VOD. My view is the the answer lies in market-driven innovation. Panel members at RSA who were open to some (undefined) kind of security requirements on ‘critical infrastructure sectors,’ like electricity, seemed to be under the impression that these sectors had few incentives to get secure. I’ve never subscribed to that. They talked about the Internet as if it were a public good, and were afraid of a ‘tragedy of the commons,’ in the traditional economic sense. My view is that it is not. Every piece of the network is owned by somebody — somebody with an incentive to get and stay secure. In electricity, for example, (where the Northeast blackout was used as an example of what could happen – which was caused by a power line sagging into a tree), someone said companies in the electric industry have little incentive to get secure because security was only a cost – again my view is different, first, going down does not go unnoticed, and second, the state electricity regulators at NARUC have said security is a positive thing and of course you can recover your investment, and in fact NARUC provided a road map for cost recovery through the rate-base, see the second report referenced on NARUC’s site. Certainly work needs to, and is, going-on regarding hardening SCADA systems, but it strikes me that the incentive issue is pretty clear. One panelist seemed to want ISPs to provide security, and in any case the market has driven AOL to roll-in AV to all its customers at no additional fee — which was followed by Earthlink, and then Net Zero to stay competitive with AOL. That has to have rolled-in about 30 million users in just the last 5 months. On the enterprise side, the Wall Street Journal reported in November that ATT/MCI/Sprint were competing against each other in the enterprise market based on security. Customers are asking for it, and ISPs are responding. Enough on that for now.
The big take away from RSA is the intensity of innovation. Someone who was there (and should know) said the vibe was like networking was 15 years ago. Fast, complex, fun and the place to be. That hit me as right. So long for now…..