In mid-2006, Gartner predicted that catastrophe resulting
from IT failure, or an ongoing history of lower-level failures,
would provokegovernmental or industry self-regulation of IT products and
servicesin the US by 2015 and in the EU by 2015 to
2018. In accordance with our predictions, in recent months the
tempo and intensity of early indicators for IT regulation have
increased,writes Richard Hunter.
Reports of attacks on governmental systems and captcha-cracking
networks raised the question of whether the current state of IT
security was a threat to national security. These questions are
underscored by the unprecedented scope and boldness of recent
criminal attacks, such as the WorldPay theft in which $9m was
stolen from ATM machines in 49 European cities within a 15-minute
window.
Barack Obama has publicly repeated stories of European cities
whose essential services have been compromised by cyber attacks.
Representatives of the EU consumer affairs office have called for
regulation of consumer-orientated IT products and increased
liability for suppliers of products whose failure impacts
consumers.
No industry ever achieves the impact on society that IT has
achieved without exciting the interest of regulators. Gartner
predicts that the EU will take formal steps to establish a regime
for regulation of consumer-orientated IT products and services as
early as 2011. We expect regulation to be targeted, with the
greatest liability residing in the owner of a software "stack."
Suppliers - or user IT organisations - making software with
potential to harm public health, welfare or finances will be
required to specify known limitations and recommended uses of their
products and services in detailed, accurate terms. Especially where
consumer products are concerned, regulations will spell out
standards for performance in applications where failure has
implications for harm. Grounds for lawsuit, with liability limits
far north of the current contractual value standard, will apply to
an expanded range of cases.
Important implications
There are important implications for IT companies, service
providers, user organisations and society as a whole. Starting at
the top, the economics of the software industry have always been
driven by speed. In an environment where software products are
subject to clinical trials, time to market for new products and
functions will increase.
Maintenance revenues will be impacted heavily when releases are
few and far between and users refuse to install new functionality
that is not thoroughly tested and certified as fit for purpose.
Software and related services account for about 6% of the US GDP,
and the impact will likely be non-trivial.
On the other hand, quality-based tiering of markets resulting
from regulation is likely to serve established IT firms well.
Demands for stronger documentation, testing and certification
amount to a higher barrier for entry to new market entrants. Those
working in markets where quality requirement are most stringent
will in many cases be driven to partnerships with larger suppliers
to complete steps for certification. In other words, regulation is
likely to increase the already strong trend towards industry
consolidation.
Increased liability
Many less-capable user IT organisations will find it necessary
to exit the application development business in the face of
increased liability. Yet businesses with capable software
development quality assurance processes will have new incentives to
enter software markets as suppliers.
The full impact of regulation is unclear at this point, but the
likelihood is increasing every day. Suppliers and IT users alike
should start thinking now about how they will operate in an
environment in which "anything goes" is no longer an option for
IT.
Richard Hunter is research vice-president and fellow at
Gartner