[L]egislate results and not methodologies. There are a lot of areas in security where you need to pass laws, where the security externalities are such that the market fails to provide adequate security. For example, software companies who sell insecure products are exploiting an externality just as much as chemical plants that dump waste into the river. But a bad law is worse than no law. A law requiring companies to secure personal data is good; a law specifying what technologies they should use to do so is not. Mandating software liabilities for software failures is good, detailing how is not. Legislate for the results you want and implement the appropriate penalties; let the market figure out how -- that's what markets are good at. Memo to the PresidentExactly; and as in security, so in other policy matters. Government doesn't know how to do things, but it's the best forum we have for deciding which outcomes we should strive to achieve, and it's the best way we have of raising revenue to achieve those outcomes. For such tasks, being big, monolithic and decisive are advantages, and government has them. But for actually achieving goals in complex, ever-changing societies, we need diverse, adaptive approaches. Stipulating outcomes and rewarding people for achieving them: government can do those things very well. But as Mr Schneier says, the market is the best way we have of allocating resources to actually achieving society's goals.
13 August 2008
Bruce Schneier gets it
Bruce Schneier, suggesting the actions that the US Government could take to boost cyber security: