Cybersecurity task force sparks debate:
Cybersecurity task force sparks debate
Rift develops over who decides standards
By Grant Gross, IDG News Service
WASHINGTON - A cybersecurity task force convened by a U.S. House subcommittee chairman released a series of recommendations this week, but some of the results created rifts between IT vendors and security advocates, including a request to allow IT purchasers to band together to dictate security standards to vendors.
"Among the recommendations of the Corporate Information Security Working Group (CISWG), released this week by Representative Adam Putnam, was a proposal to change U.S. antitrust law to allow IT industry groups to agree on security specifications for software and hardware they purchase. The Information Technology Association of America (ITAA), which participated in CISWG, objected to that proposal, saying it amounts to a call for group boycotts.
'The proposal is that a larger group (of customers) would be able to form what amounts to a buyer's cartel to enforce a security standard the buyers' group endorsed,' said Joe Tasker, senior vice president for government affairs at ITAA. 'I don't see evidence that the marketplace has failed here.'
Tasker objected to the antitrust exemption because a buyers' group could hamper innovation in IT products by having customers, not vendors, setting the standards. Buyers' cartels are illegal under antitrust law, and most enterprises haven't demanded security-certified IT products, he added.
'If the buyer sets the standard, who knows if they're right?' Tasker said. 'That's a prescription for a go-slow approach among vendors. (A buyers' group) changes the marketplace, and it's a killer on innovation.'
In October, Putnam, a Florida Republican and chairman of the House Government Reform Committee's Subcommittee on Technology, Information Policy, Intergovernmental Relations and the Census, floated a draft copy of legislation that would have required publicly traded companies to report their cybersecurity efforts to the U.S. Securities and Exchange Commission. Putnam decided not to introduce the Corporate Information Security Accountability Act of 2003 after loud objections from IT vendors, but he called on vendors and buyers to come up with alternatives to federal legislation."