I know many in the security community seem to be in a state of immaculate rapture about the Federal Desktop Core Configuration (FDCC), a standard configuration of 300 security-related computer settings for Microsoft Windows XP and Vista, especially since Bruce Schneier actually brought attention to it in his May 6 blog post. And for good reason.
The argument is that, by and through the leverage of U.S. government buying power (Microsoft must ship this configuration to Federal Agencies in order to comply with federal purchasing requirements) cyber security will be positively influenced. Government computer systems will be better (and more consistently) protected, and because the configuration standard is free and publicly available, private sector organizations might also benefit.
Anyone employing this standard, especially Federal Agencies, is likely save a significant amount of money (some estimates place savings at $100 million or more). Standardized systems are easier to manage and patch, and thus easier and less expensive to protect. To a degree this is all true and accurate. It seems hard to argue against the federal government not positively influencing cyber security via their buying power because, gosh, the federal government has just so much damn money. While Federal buyer power is indeed important, is it not nearly as important – or influential – as some seem to assume.
Simply put, if federal purchasing power was not enough to significantly alter safety in auto market, or or toxins in the agricultural market, or pollution in the industrial market, or efficiency in the energy market, then federal buying power is not likely going to be sufficient to influence cyber security in any significant manner either.
The reasoning is simple.
U.S. Government buyer power represents 19.9% of U.S. GDP (in 2008). This is actually quite small given the immensity of the U.S. Government (Canada's governmental expenditure as a percentage of GDP is 48% and it is barely half the size of the U.S. government). Even if one references earlier times in the 1950s and 1960s when U.S. Government spending was upwards of 25%...this amount was still not enough to influence auto manufacturers to make safer cars; this despite $329 billion of government spending on constructing safer highways and multiple large-scale buying contracts between government and auto manufacturers to make safer cars for government employees. In the end, auto manufactures were still producing deadly cars.
So even at 25% GDP, U.S. government buyer power was insufficient to compel auto manufacturers to make safer cars on a large enough scale to stop the carnage that was occurring on U.S. highways (no matter how safe those “networks” were designed under the new Interstate system). Even government expenditures of 43% GDP, which is the Australian government’s yearly expenditure, were insufficient to positively influence auto manufacturers selling in that country. Instead, the Australian government too had to resort to a similar 5-star, consumer-oriented safety rating system employed by the NHTSA in the United States.
Why the failure of government spending to influence markets?
Government expenditure in many respects simply cannot compare to the influence of private consumption – the power of the everyday consumer. In the US, this power is substantial. Private consumption represents 70% of US GDP. In the EU, private consumption accounts for 60% of EU GDP.
In short, expecting too much from government spending power is a mistake, especialy in cyber security. It is a dangerous philosophical cul-de-sac in which too much trust and hope can lead to national disaster. Government buying power simply cannot compare to the raw influence of private consumption. The consumer needs to be brought into the battle of cyber security by leveraging their buying power to influence software manufacturers to make better, more secure software. To do that that requires a consumer-centric signaling mechanism.
My favorite to reference is the NHTSA 5-star rating system, but one choose from similar labeling regimes for energy efficiency, fuel efficiency, or even organic food. It doesn’t matter. Labels coordinate and inform consumers on a scale not possible through private contracts, individual initiatives, or coordinated attempts by sectors, industries, or governments. We need a consumer-centric labeling regime for software security. A labeling regime, no matter how imperfect one might be, is an important and necessary component for national and economic security in a software-driven civilization.
Government spending will not be enough for cyber security because the breadth and depth of the problem is so immense…larger than anything we’ve ever faced. Government spending will certainly affect some positive change, to be sure, but not nearly as much as we need, or hope for.
