Thursday, September 03, 2015

Why licensing wouldn't work

Would you allow an unlicensed doctor to operate on you? Many argue that cybersecurity professionals, and even software programmers, should be licensed by the government similar to doctors. The above question is the basis for their argument.

But this is bogus. The government isn't competent to judge doctors. It licenses a lot of bad doctors. It'll even give licenses to people who plainly aren't doctors. For example, in the state of Oregon, "naturopaths" (those practicing "natural", non-traditional medicine) can be licensed to be your primary care provider, prescribe medicines, and so on. Instead of guaranteeing "good" professionals, licensing gives an official seal of approval to "bad" practitioners. Naturopathy is, of course, complete nonsense, and Oregon politicians are a bunch of morons. (See the Portlandia series -- it's a documentary, not fiction).

Professions like licensing not because it improves the quality of the profession, but because it reduces competition. The steeper the licensing requirements, the more it keeps outsiders out. This allows the licensed to charge higher fees. This is why even bogus occupations like "hairdressers" seek licensing -- so they can charge more money.

Since different states license different occupations, we have nice experimental laboratory to measure the benefits of licensing. As the Wikipedia page on the subject documents, many have done the studies, and found no benefits.

Many argue for government to get involved in cybersecurity. Their premise is that government is a an oracle, all seeing and all wise. That's simply not true. Government can't figure out their own cybersecurity, so it's unreasonable to expect they can pass laws to help ours. Since they don't know cybersecurity, their solutions will be based on politics not reason. That's what their "CISA" bill attempts to solve cybersecurity with increased government surveillance -- because more surveillance is what government wants. This is why they punished North Korea based on flimsy evidence in the Sony attack, but ignored the hard evidence pointing to China in the GitHub attacks. Politically, beating up on North Korea is easy, but fighting China would entail unacceptable political costs.

As the Wassenaar cyber export rules demonstrated, government won't solve cybersecurity problems. It'll just create a whole new set of problems.

2 comments:

TempvsSolvs said...

Our government already has its fingers in too many pies. It's so bloated that any regulation it tries to make (that doesn't strictly benefit itself, of course) is already obsolete by the time it's signed into law. We have untold thousands of laws on the books that serve no actual purpose or benefit other than making it look like something was accomplished by lawmakers. And all they ever seem to want to do is add more-- more regulation, more rules, more limitations, more ways to make money and stifle innovation.

Anyway...I'm sure there's tons of examples where having a technical/skilled field regulated by a totally unrelated and uninformed body has been exceptionally successful, though. Surely.

John Moehrke said...

Do you have the same conclusion on private sector Certificate?

Even a poor and somewhat corrupt system is likely better than the layperson ability to judge competency. I am not arguing against your position but father pointing out that there is a need.