Is it time to regulate software security?

A panel of security experts on Wednesday debated the merits of regulating the software industry to curtail software flaws - and hence reduce the volume of virus attacks.

With software flaws serving as the open door to viruses and worms, a panel of industry experts at the RSA Conference in San Francisco debated whether it's time to regulate software companies. The experts were mixed on the effectiveness of such a plan and whether it could be undertaken without curtailing innovation.

Harris Miller, president of the Information Technology Association of America said: "The issue is not to regulate or not. Our industry is all about innovation, and my concern with regulation is it's often the enemy of innovation."

In that same vein, Rick White, chief executive of technology advocacy group TechNet, said the industry should come together and develop guidelines for best practices on developing software with minimal flaws, rather than imposing regulations.

"Congress will never solve the problem as well as the people who work in the industry," said White, a former congressman from Washington state.

But other panellists were not as sure.

Dick Clarke, chairman of Good Harbor Consulting and former presidential special advisor on cybersecurity, noted efforts to have industries develop guidelines and follow through have failed in the past. He pointed to a deal Michael Powell, outgoing Federal Communications Commission chairman, struck with internet service providers (ISPs).

Powell held a meeting with ISPs, wherein they developed guidelines. And although Powell threatened to regulate their industry if they did not abide by those guidelines, the ISPs did not adhere to those self-imposed practices, Clarke said.

"Powell bluffed them. They knew it, and now he is leaving office," Clarke said.

Other panellists, such as encryption expert and author Bruce Schneier, also called for more action in prompting software vendors to vet through their code before releasing it to the market.

"If we make it in their best interests to do this, then it will happen. You need to find a set of financial incentives," Schneier said. "Regulations would increase the cost of not doing security, and that would increase security [testing]."

He noted companies that currently take the time to test the security of their software before releasing it to the markets are at a disadvantage - higher costs and potential late arrival to the market.

Additional financial incentives may come from customers demanding a certain level of security testing from a vendor, before agreeing to sign a contract to purchase their products, Schneier said.

In offering a post-11 September, 2001, warning, Clarke said: "Regulation is neither good nor bad...but the industry should bear this in mind. After we have an incident, regulations will be much worse."

Dawn Kawamoto writes for CNET News.com.