In mid-2006, Gartner predicted that catastrophe resulting from IT failure, or an ongoing history of lower-level failures, would provoke governmental or industry self-regulation of IT products and services in the US by 2015 and in the EU by 2015 to 2018. In accordance with our predictions, in recent months the tempo and intensity of early indicators for IT regulation have increased, writes Richard Hunter.
Reports of attacks on governmental systems and captcha-cracking networks raised the question of whether the current state of IT security was a threat to national security. These questions are underscored by the unprecedented scope and boldness of recent criminal attacks, such as the WorldPay theft in which $9m was stolen from ATM machines in 49 European cities within a 15-minute window.
Barack Obama has publicly repeated stories of European cities whose essential services have been compromised by cyber attacks. Representatives of the EU consumer affairs office have called for regulation of consumer-orientated IT products and increased liability for suppliers of products whose failure impacts consumers.
No industry ever achieves the impact on society that IT has achieved without exciting the interest of regulators. Gartner predicts that the EU will take formal steps to establish a regime for regulation of consumer-orientated IT products and services as early as 2011. We expect regulation to be targeted, with the greatest liability residing in the owner of a software "stack."
Suppliers - or user IT organisations - making software with potential to harm public health, welfare or finances will be required to specify known limitations and recommended uses of their products and services in detailed, accurate terms. Especially where consumer products are concerned, regulations will spell out standards for performance in applications where failure has implications for harm. Grounds for lawsuit, with liability limits far north of the current contractual value standard, will apply to an expanded range of cases.
There are important implications for IT companies, service providers, user organisations and society as a whole. Starting at the top, the economics of the software industry have always been driven by speed. In an environment where software products are subject to clinical trials, time to market for new products and functions will increase.
Maintenance revenues will be impacted heavily when releases are few and far between and users refuse to install new functionality that is not thoroughly tested and certified as fit for purpose. Software and related services account for about 6% of the US GDP, and the impact will likely be non-trivial.
On the other hand, quality-based tiering of markets resulting from regulation is likely to serve established IT firms well. Demands for stronger documentation, testing and certification amount to a higher barrier for entry to new market entrants. Those working in markets where quality requirement are most stringent will in many cases be driven to partnerships with larger suppliers to complete steps for certification. In other words, regulation is likely to increase the already strong trend towards industry consolidation.
Many less-capable user IT organisations will find it necessary to exit the application development business in the face of increased liability. Yet businesses with capable software development quality assurance processes will have new incentives to enter software markets as suppliers.
The full impact of regulation is unclear at this point, but the likelihood is increasing every day. Suppliers and IT users alike should start thinking now about how they will operate in an environment in which "anything goes" is no longer an option for IT.
Richard Hunter is research vice-president and fellow at Gartner
This was first published in August 2009