Printer Friendly

Is regulation the answer?

WITH THE THREAT OF a nuclear war receding, our national focus has begun to shift to global economic competition. There has been talk of shifting our national security focus from a military orientation toward protecting industrial proprietary information. Michelle Van Cleave, assistant director for national security at the White House Office of Science and Technology Policy, has proposed developing a national information protection policy.

Van Cleave believes the topic warrants serious public debate, particularly concerning the roles of government and industry. A range of options is being discussed. One suggestion is to have the government handle overall information security, including unclassified industrial technical data.

When viewing industrial technology as a national asset--which it clearly is--it is tempting to see the government as the protector. A natural tendency exists to extend government's role in restricting access to the area of unclassified technology. This is particularly true because much emerging technology is dual in nature. It has both commercial and military applications.

The blurred distinction between commercial and military technology has become one of the central problems in this debate. The Gulf War brought home the extent to which nations have become dependent on a rapidly expandable, high technology base to ensure military superiority. But it would be a serious mistake to create a government program to regulate or control information and technology developed in the private sector. This would be the national equivalent of Hamlet's grasp of the dagger as an easy out.

While government has been an invaluable catalyst in developing new technologies, the power of the American industrial entrepreneur has been the foundation of our technological position in the world. Our preeminence in scientific and technical achievements is second to none. Recall the awards for the Nobel prize in science. America has dominated the field.

The vitality of the American free-enterprise, market-based economy has outlasted competing ideologies of centralized state ownership and control. The triumph over communism has been achieved by having our military strength contain the expansionist designs of the Soviet Union long enough for us to overpower them by the strength of our economic system.

We just won a seventy-five-year contest with a state that saw itself as the owner and controller of production. What a paradox it would be for us now to turn and shackle American innovative power to some system of centralized government control.

Government must balance a variety of interests and priorities. Reaching agreement takes time. Industry, on the other hand, tends to be a more cohesive structure organized around more narrowly defined goals and objectives. It is not surprising that a significant percentage of technological innovations have come from industry.

Adding to this attempt to make distinction about the roles of government and industry, the American political process recognizes the tradition of private property ownership. When American industry accepts the risk to invest in new ideas, it is reasonable to expect it to want to retain a significant say over the use of these ideas and innovations. It may be necessary and even desirable for government to recommend goals and objectives, but it is intrusive to inject controls that directly affect the innovative process.

The Jeffersonian concept, which says that a government that governs best governs least, deserves attention. Our expanded involvement in the world has, out of necessity, shifted increased responsibility to the federal government. But it is important to distinguish between whether a policy is in response to the trend to increase government's role or whether it is out of necessity.

The current process, spearheaded by several industry associations, of formulating a National Industrial Security Program (NISP) proves that industry and government can collaborate in reviewing and formulating policy. NISP would focus a decentralized government security program into a more uniform, threat-driven discipline. But even the best intentions to formulate balanced policy are no guarantee. As long as regulators resist allowing those who are being regulated to participate in policy development, industry should remain wary of government's attempts to regulate private, unclassified intellectual property.

A laissez-faire approach is not necessarily the answer, either. There are no easy solutions to the complex issues Van Cleave has recognized in her efforts to direct us toward an effective and reasonable national information security initiative.

An important role of government is to protect against the misuse of American technology. This can be accomplished by improving the effectiveness and timeliness of existing regulations. Take, for example, the designated countries concept. The variety of lists being distributed from multiple sources under new name are out of date by the time they hit the street.

Another concern is whether a coherent statement of foreign policy objectives exists that can serve as a cornerstone of a critical technology dissemination policy. Resiliency and timeliness in formulating critical technology dissemination policy might be enhanced by consolidation within the Executive Branch.

If present programs by the Department of State, the Department of Commerce, and the U.S. Customs Service do not adequately help stem the illicit flow of U.S. technology, perhaps these programs need to be reviewed or consolidated before adding another layer of regulatory bureaucracy. American industry is receptive to cooperating with government export control initiatives.

The operations security (OPSEC) process also needs to better define the threat to specific industrial applications. OPSEC is useful to the extent that it helps organize and collect data. But OPSEC is nothing more than a tool.

I remember a lesson I learned while working one summer between college semesters on a construction crew. I had bought a brand new half-inch drill to use on the job. This was back in the days when hand power tools had metal cases. I was proud of my shiny new drill, which represented a serious financial investment for me. The foreman asked to see my drill. After admiring it, he bent down and forcefully slid it across the length of the concrete slab we were working on. He then turned to me and said, "There, now you won't be afraid to use the damn thing!"

Similarly, perhaps we need to drop OPSEC policies on the floor a few times and nick them up so we do not stand in awe of the tool and forget it is the end result that counts.

Another concern is that OPSEC may take the government beyond its proper advisory role toward compliance oversight. The decision about the adequacy of an OPSEC plan should remain within industry. An effective OPSEC strategy has to be honest and detailed. Having outside approval would have a chilling effect on the candor and depth of the process. If government were to institutionalize OPSEC compliance for private industry, forms would be filled out in ritual fashion with the bare minimum of data reviewed to get by. Fear of the loss of proprietary data or exposure of vulnerabilities would render OPSEC plans submitted for review worthless.

At this early stage of formulating a national information security protection concept, we should all support and actively participate in the process. To make this partnership fruitful, government needs to overhaul and consolidate existing policies, regulations, and initiatives before adding additional bureaucracy. Dialogue should continue between government and industry in defining and understanding threats, particularly from foreign competitors.

Government needs to understand that proprietary information is the lifeblood of commercial success. The hard realities of today's market are that most research efforts work on an extremely close after-tax profit margin. Industry, for its part, must develop better self-regulated, information control mechanisms to survive.

Whether a strong and vital American technological innovative force will exist depends on whether any potentially fatal solutions are imposed on the process. Industry must also demonstrate a commitment to enhanced, cost-effective information security to prove that external pressure through regulation is not necessary.

Lawrence J. Howe, CPP, is corporate vice president of security for Science Applications International Corporation in San Diego, California. He is a member of ASIS.
COPYRIGHT 1993 American Society for Industrial Security
No portion of this article can be reproduced without the express written permission from the copyright holder.
Copyright 1993 Gale, Cengage Learning. All rights reserved.

Article Details
Printer friendly Cite/link Email Feedback
Title Annotation:industrial security
Author:Howe, Lawrence J.
Publication:Security Management
Date:Jan 1, 1993
Previous Article:The other industrial security programs.
Next Article:The proof is in the picture.

Related Articles
DIS helps build security relationships.
The pension answer book, 2005 ed.

Terms of use | Copyright © 2017 Farlex, Inc. | Feedback | For webmasters