Google’s lesson: innovation has to be accompanied by reliability

Despite the growing concern that the power grid is susceptible to cyber attacks, the Obama Administration is moving forward with a smart grid in the same haphazard manner that the information technology industry has embraced technology development. In October, the Energy Department announced plans to spend US$3.4 billion in stimulus dollars on 100 smart grid projects in 49 states. Utilities agreed to add another US$4.7 billion. Yet the National Institute of Standards has not completed the Smart Grid Security Strategy and Requirements. Once again, safety and security lag design and delivery.

Hopefully, the tide may be turning. For months Google resisted making industry standard encryption the default on Google Mail, Docs, and Calendar since it would impede the flow of information across the Internet as well as slow down users’ computers by making them decrypt extra data. After going public about the attempted hacking from China, Google reversed itself and enabled this protection by default.

The lesson for the IT industry is that security has to be a primary concern in the next generation of innovation. Safety must be baked in at the design level and not as an afterthought. Retrofitting systems once a vulnerability is exposed does not work and companies that do not realise this will pay a price.

As a corollary to safety first, critical systems must embrace greater simplicity. The more complex a system is the more vulnerable. Computer systems used to control the electric and water grids for example, should do only what they need to do, no more, no less. Information technology providers will need to move away from a one-size-fits all approach, and provide simple systems that address clearly stated and limited purposes.

Governments can play a role in helping make this market shift. Washington, for example, can flex its muscle as a major user and insist that all new products achieve increasingly high standards for security and reliability. In addition, liability standards could be adjusted so that technology companies are responsible for the failure of their products. As the security consultant Bruce Schneier has suggested shifting liability for security from the consumer to the producer is likely to produce a secondary market for liability insurance that will promote better security practices without burdensome regulatory action.

Companies may also have to rethink where they manufacture and conduct R&D. Placing the two together and keeping them in the home country could limit exposure to theft of intellectual property and contamination of the supply chain. When closeness to foreign markets is critical, multinationals should let governments know that they are basing their decisions on where to site a research centre not only on access to talent and infrastructure, but also on the security environment. As a result, companies would be more careful about selecting countries before setting up R&D abroad. Outsourcing of manufacturing will continue, but it must do so under much tighter monitoring of the transfer from intellectual property to production.

The lesson of Google v China for information technology companies is: stop and take a breadth. Where goods are designed and manufactured still matters and racing off to some foreign location can mean the loss of valuable intellectual property. Moreover, first out of the gate is going to be less important. We all may be better off if the pace of innovation slows just a bit so we can be safer.