I recently started reading Capitalism at the Crossroads: Aligning Business, Earth, and Humanity (2nd Edition) by Stuart Hart and Al Gore. The introduction to the book struck me. The challenges of regulating pollution from the 1970s onward bear striking similarities to the current security catastrophe in cyber space. I’m quoting a few paragraphs of Hart’s introduction here, one to maintain the integrity of the author’s thought process, and two, to highlight [below in bold] some very important similarities between his observations and those made in Geekonomics (with special attention on the last paragraph below):
There can be no question that command-and-control regulation was of enormous importance; it required, perhaps for the first time, that business address directly its negative societal impacts [creating pollution]. Since the time of the industrial revolution, enterprises had relied upon the extraction of cheap raw materials, exploitation of factory labor, and production of mass quantities of waste and pollution (think of those "dark, satanic mills"). Indeed, pollution was assumed to be part of the industrialization process. When economists conceived the concept of externalities, in other words, it seemed virtually impossible that firms could behave in any other manner. For the better part of 200 years, industrial firms engaged in what might be described as "take, make, waste" as an organizing paradigm. Command-and-control regulation seemed a necessary and appropriate counter to the prevailing industrial mindset.
Paradoxically, this mindset also resulted in what I call the "Great Trade-Off Illusion"—the belief that firms must sacrifice financial performance to meet societal obligations. A massive wall of environmental and social regulation has been spawned over the past 30 years, most of which has been written in a way that makes the Great Trade-Off Illusion a self-fulfilling prophesy. Just track the thickness (and lack of flexibility) of the Code of Federal Regulations in the United States for confirmation. Too often, command-and-control regulations prescribed specific treatment technologies without regard to their efficiency or cost-effectiveness..
The Great Trade-Off Illusion trained a generation of corporate, business, and facility-level managers to assume that societal concerns could only be drags on their business. As a consequence, their attitude tended to be reactive—they would do only the bare minimum necessary to avoid legal sanction. Unfortunately, when lawmakers and activists unfamiliar with operations or market dynamics write the rules for compliance, it is a virtual certainty that the rules will not integrate well with company strategy or operations. Taking a reactive posture thus doomed companies to a decade or more of onerous regulations that treated the symptoms rather than the underlying problems. These regulations targeted specific wastes, emissions, pollutants, and exposure levels through command-and-control-style rules that forced companies to deal with problems "at the end of the pipe" rather than addressing them as part of their core strategy or operations. Unfortunately, pollution-control devices can never improve efficiency or produce revenue; they can only add cost.
To me, Hart’s observations on the mindset of industrial manufacturers are telling of cyber security and of software manufacturing in particular. There are a number of points I’d like to address in sequence:
- Pollution was assumed to be part of the industrialization process
- Too often, command-and-control regulations prescribed specific treatment technologies without regard to their efficiency or cost-effectiveness
- [Manufacturers] attitude tended to be reactive – they would do only the bare minimum necessary to avoid legal sanction.
- When lawmakers and activists unfamiliar with operations or market dynamics write the rules for compliance, it is a virtual certainty that the rules will not integrate well with company strategy or operations.
- These regulations targeted specific wastes, emissions, pollutants, and exposure levels through command-and-control-style rules that forced companies to deal with problems "at the end of the pipe" rather than addressing them as part of their core strategy or operations. Unfortunately, pollution-control devices can never improve efficiency or produce revenue; they can only add cost.
Due to the length of the discussion for each point, I will split my discussion over a series blog posts in the coming days titled "Cyber Security at the Crossroads" in deferernce to Hart's work. For now, let’s consider the first bullet: pollution was assumed to be part of the industrialization process.
Indeed, pollution seemed virtually impossible to avoid prior to the 1970s, thus the population, including governments, simply accepted pollution as the cost of progress. In Geekonomics, I refer to software vulnerabilities as the “pollutants of cyber space” causing significant "environmental" damage to the inhabitants of cyber space (including governments, businesses, and individuals). The assumption by many is that software vulnerabilities are virtually impossible to avoid and thus are accepted as the inevitable result of making software (and thus progress). The mantra that “perfect software isn’t possible” seems to reflect this fatalist sentiment.
In fact, perfect software is not possible, just as zero-pollution manufacturing is not possible, but only when manufacturers pay the cost of their pollution do they begin to innovate on reducing their impact on downstream market participants and radically change the way they do business; a point that Hart emphatically argues in his book. Hart states that Industrial firms engaged in what might be described as "take, make, waste" as an organizing paradigm. Software manufacturers comparable organizing paradigm might be "innovate, make, break." ( although I still like Guy Kawasaki's catchy phrase, "Don't worry, be crappy. Just get your [software] product out there.")
Reducing the number of vulnerabilities released by software manufacturers through incentives programs might seem as inconceivable now as reducing pollution from industrial manufacturers seemed prior to the 1970s, but as I argue in Geekonomics, it is possible: our mindset needs to switch focus from the “end of the pipe” to its beginning and re-adjust the cost of vulnerabilities from the consumer onto the manufacturer. One method of doing this is through Pigouvian taxes, employed far more regularly by Europe (and less by the United States), which form a more collaborative and goal-oriented regulatory approach with manufacturers rather than a command-and-control regulatory model that prescribe specific treatments (such as “run lots of anti-virus software” in the cyber security realm) or specific pollution control devices ( such as “deploy firewalls everywhere!”). But this gets us into the second bullet on regulation and what it might look like for the software industry and cyber security…I discuss that on the next post (Cyber Security at the Crossroads: Bad Treatment).
Comments