What is regulation?

Because regulation is a widely used and generic concept, there is a need to separate how it is used in this study. The contents of the concept is sought for in order to limit the scope of this study and to make qualifications.

Unfortunately there is as little agreement of what ‘regulation’ is as there is with ‘information security’. Not only is there a conceptual muddle (what term to use), but also a disagreement of the contents of the concepts (what the issue is). However, similar to my earlier treatment of the concept of information security, no formal, universally applicable, definition of the concept of ‘regulation’ is given.

This is mainly because others have already ‘mapped’ the concept extensively⁵⁰. I can lean on that.

The things that the concept of regulation does are much more important than what it means. In that purpose I will try to show you the issues that the concept of regulation includes and by doing so, hope that I am able to use it to provide some starting points on critical reflections on contemporary problems in information security

Regulating Secure Software Development 26

51 Black, Critical Reflections on Regulation, p. 19.

52 See, e.g., Baldwin and Cave, Understanding Regulation, p. 2; Baldwin et al., A Reader on Regulation, ch. 1. See also Black, Critical Reflections on Regulation, p.

8 and Black, Decentring Regulation, p. 129.

53 Hood and Scott, Regulating Government in a 'Managerial' Age, p. 1.

54 See, e.g., Breyer, Regulation and its Reform and Ogus, Regulation. In considering whether to use law, ‘regulation’ or some other instrument to achieve a particular policy outcome, ‘legalisation’ is the consequence of an increasing reliance on law in state intervention, a meaning that must be distinguished from legalisation as general increase of legal norms (as distinct from social custom, convention, or informal social norms) in society as pointed out by

regulation. The understanding of regulation given in here is, following Julia Black, to provide a conceptualisation of regulation that provides the tools of inquiry into the particular problem of vulnerable software⁵¹. It is used to delimit and construct the scope of the inquiry together with the facilitation of both the analyses and the practical discussions of how regulation affects behaviour and how it might be improved.

At best, regulation is an ambiguous concept. Even the basic regulatory textbooks give at least three definitions⁵². In the first, regulation is the promulgation of rules by government accompanied by mechanisms for monitoring and enforcement, usually assumed to be operating through a public agency (either specially built for the purpose or an existing). This is the way lawyers typically see regulation; simply as a type of legal instrument or as a part of public law. In this sense regulation is a rule of order prescribed by superior or competent authority relating to action of those under its control.

In this traditional use of the term it usually denotes a form of intervention that consists of setting and enforcing rules of behaviour for organisations and individuals. It thus contrasts with other forms of state intervention such as public ownership, taxes and subsides or physical alteration of the environment⁵³. In practice, discussion of regulation in the narrow sense tends to run into a broader discussion of alternative legal policy instruments, particularly over regulatory reform⁵⁴.

Introduction 27

Renate Mayntz in Political Intentions and Legal Measures, p. 57.

55 Black, Black’s Law Dictionary, terms ‘regulation’ and ‘regulations’.

56 See, e.g., Weimer and Vining, Policy Analysis, p. 58-159; Breyer, Regulation and its Reform; Ogus, Regulation, p. 1-121; and Baldwin and Cave, Understanding Regulation, p. 9-18. However, as noted by Black in Critical Reflections on Regulation, p. 7, that goal is being displaced, and others added. Notably, the management and distribution of risk: regulating the ‘risk society’ is a burgeoning academic and policy area and there are signs that existing systems of regulation are coupling the correction of market failure with the management of risk as their organising principle. This is the theme in the analysis of risk regulation regimes in Hood et al., The Government of Risk, from 2001. Other goals that regulation ought to pursue, in particular those coming from a socio-legal base, are access to justice (Parker, Just Lawyers), or legitimacy (Baldwin and Cave, Understanding Regulation, p. 77-85), or the achievement of social justice in some form (Ayres and Braithwaite, Responsive Regulation, chapter 3), or the extension of participative forms of policy building into regulation (Black, Proceduralising Regulation Part I and II).

However, there is even a more strict understanding of regulation.

According to Black’s law dictionary: “Regulations… are issued by various governmental departments to carry out the intent of the law.

Agencies issue regulations to guide the activity of those regulated by the agency and of their own employees and to ensure uniform application of the law”⁵⁵. Regulation is rule or order having force of law issued by executive authority or government. Not even the highly detailed parliamentary laws typically used, for example, in Finland, would be included. Only agency regulation and ministerial decrees are considered as regulation under this strict conception.

In the second, it is any form of direct state intervention in the economy or social environment, whatever form that intervention might take. Regulation is any attempt by the government to control the behaviour of citizens, corporations or other parts of the government. In this sense the goal of regulation is often the project of welfare economics: the correction of market failure. In the standard treatments of ‘regulation’, the ‘why regulate’ question is nearly always answered in terms of correction of market failures, with the occasional nod to distributional or other ancillary aims⁵⁶.

Regulating Secure Software Development 28

57 Black, Critical Reflections on Regulation, p. 8 and 17. This kind of wide usage of the term ‘regulation’ in Europe (almost as a synonym for governance) has somewhat hampered the emergence of regulation as a field of study separate from other disciplines. However, it is used in socio-legal studies like that of Lawrence Lessig, The New Chicago School.

In the third, regulation is all mechanisms of social control or influence affecting all aspects of behaviour from whatever source, whether they are intentional or not. This definition in its scope covers all issues from governmental regulation to everything in social and political sciences. It provides no boundaries where regulation might end and some other influencing factor take effect. Analytical value of this conception is minimal. It is so broad that it contributes nothing.⁵⁷

These definitions can be illustrated with a picture showing the alternatives policymaker has in choosing the tools to be used. The state is just an example of the central authority that performs the regulation. However, it is the most typical one and has the power to use legal measures.

Picture 1-1. The nature of alternatives in the choice of law as a policy instrument.

Adjusted from Mayntz, Political Intentions and Legal Measures, p. 58.

Introduction 29

58 Note that explicit decision not to intervene, to refrain from regulating, can also be an alternative for legislating as pointed out by Evert Vedung in Policy Instruments, p. 22-23. However, as Jyrki Tala argues in his doctoral dissertation Lakien vaikutukset, p. 152, the decision not to intervene has to be explicit and done systematically in order to be seen as a real regulatory choice.

59 State centrism is the core understanding that many have of ‘regulation’, i.e., some form of ‘command-and-control’ (C&C) regulation (regulation by the state through the use of legal rules backed by mainly criminal sanctions).

However, C&C has also become a shorthand to denote all that can be bad about regulation as pointed out by Julia Black in Critical Reflections on Regulation, p. 2; the instruments used (laws backed by sanctions) are inappropriate and unsophisticated (instrument failure); government has insufficient knowledge to be able to identify the causes of problems, to design solutions that are appropriate, and to identify non-compliance (information and knowledge failure); implementation of the regulation is inadequate

In the first choosing point the alternative is between state intervention and non-state-intervention⁵⁸. The possible non state-centred regulations (such as social norms) affect behaviour or there is even a possibility for the state to modify the effects of these regulations. The state can intervene indirectly via these other regulatory instruments and the actors involved. All of this is encompassed by the third definition of ‘regulation’.

The second choice concerns whether to use regulatory (public) law typically in the form of ‘command and control’ regulations or other tools of the state (e.g. taxing, direct funding and other economic incentives, governmental procurement contracting, information, threat of governmental regulation, conscious decision not to regulate). This is what the second definition covers.

The first, and most strict, definition of ‘regulation’ is visible in the last choosing point; the types of legal measures to use or even in a more limited version, where regulations corresponds to ministerial decrees or decrees given by administrative (regulatory) agencies.

The first two are clearly ‘centred’ definitions; i.e. regulation is seen to emanate from the state. The usual assumption is that government is the rule-maker, monitor, and enforcer, usually operating through a public agency (ministry, independent regulatory agency, some less independent form etc.)⁵⁹. The second definition keeps to the

Regulating Secure Software Development 30

(implementation failure); and that those being regulated are insufficiently inclined to comply, and those doing the regulating are insufficiently motivated to regulate in the public interest (motivation failure and capture theory) including poorly targeted rules, rigidity, ossification, under- or over-enforcement, and unintended consequences. The extent to which C&C does or does not live up to this caricature is an empirical question which has been debated, e.g., by Baldwin in Regulation and by Gunningham and Grabovsky in Smart Regulation, p. 38-50.

60 Black, Decentring Regulation, p. 129.

61 If it is problematic to recognise what information security is, it is even more difficult to grasp the regulation of it in somewhat a comprehensive manner despite the efforts to coordinate the regulation in different levels. The first attempt for a coordinated policy for on information security in the EU was in 1992 with the Council Decision 92/242/EEC of 31^st March 1992 in the field of security of information systems, OJ L 123, 8.5.1992, p. 19-25. More

government as the ‘regulator’ while broadening the techniques that may be described as ‘regulation’⁶⁰. The third definition breaks the connection with the state.

In the conception adopted in this study, regulation is ‘decentred’, i.e., diffused throughout society. A wider perspective, which deviates from the pure state-centred regulation, is necessary in order to understand the wide area of information security and especially the regulation of secure software development. This regulation is essentially dispersed in different types of self- and governmental regulation, and social norms which have similar and even forceful effects to secure software development. Technologies and methods for their development also play an important role.

Not only is the regulation of information security (even the regulation of secure software development) diffused throughout society, the existing state centred regulation is also scattered in parliamentary laws, governmental regulations (decrees) and guidelines, supra-national regulations such as different sources of EC law (treaties and general principles as primary legislation; regulations, directives and decisions as secondary legislation; general principles of administrative law; international agreements and conventions between member states) and international conventions and guidelines⁶¹.

Introduction 31

successful attempts at coordinated policy has been the communications on Creating a Safer Information Society by Improving the Security of Information Infrastructures and Combating Computer-related Crime (COM(2000)890) and on Network and Information Security (COM(2001)298). Despite the difficulty, there have been substantial efforts to give at least a somewhat comprehensive overview of the state centred information security regulation in academic literature especially by Tuomas Pöysti in ENLIST Information Security Commentary and by Ahti Saarenpää and Tuomas Pöysti in Tietoturvallisuus ja laki.

62 Black, Decentring Regulation, p. 132-133. With technology, Julia Black, Decentring Regulation, p. 137, is referring to the understanding of and ability to employ, manipulate, or alter the physical or human environment and the products of that understanding. Examples are probability theory (risk analysis), double entry book keeping (audit), design of the built environment and its impact on policing etc.

63 Black, Decentring Regulation, p. 139.

As a qualification of the subject matter, the notion of decentring is controversial. The recognition that regulation is ‘decentred’ does not help to limit the scope of issues studied under this label. On the contrary; it extends the concept to cover every form of social control and re-labels almost all questions of social and political science questions as ‘regulation’. Moreover, the thing that is doing the regulating is increasingly broadened form the state and some self-regulatory associations to other actors (committees, firms, epistemic communities, contracting individuals) and to other ‘factors’ such as norms, culture and technology⁶². This has implications on how the

‘regulation’ is done – what instruments are used, as noted by Julia Black⁶³:

“…if it is government that is seen to be the ‘regulator’ then regulation is used to refer to the use of rules, legal, quasi-legal, non-legal, which may have a certain character (mandatory, facilitatory, performance, technical), which may or may not be accompanied by systematic monitoring and enforcement of sanctions for their breach (‘command and control’ regulation) by government. Or, … it may refer to any action by government: use of laws, economic instruments, information, persuasion. … Non-governmental actors have a similar range of instruments, excluding the legitimate use of force.

Regulating Secure Software Development 32

64 In agreeing that regulation does not solely emanate from state the decentred view (there is similar discussion concerning the ‘law’ under legal pluralism) leave basically only two possible options for the conception of ‘regulation’: to abandon any attempt to hold on to a single coherent conception or to attempt to construct a minimalist core concept. William Twining, A Post-Westphalian Conception of Law, p. 206, makes this notion in a similar discussion in relation to the law.

65 Black, Critical Reflections on Regulation, p. 11-19; Black, Decentring Regulation, p. 133-139. From the breadth of the basis of her argumentation becomes visible that the community she is using in mapping the concept of regulation in conventionalist terms is not limited to English-speaking countries.

The academic and policy community she refers to is much wider.

66 Black, Critical Reflections on Regulation, p. 17-19.

Governmental and non-governmental actors may act alone or in any combination. If the market is seen as ‘regulating’ then it is through the interactions of rational buyers and sellers. If it is the broad category of ‘social forces’ that is chosen then essentially the analytic tools of sociology are employed: structuring, framing, enabling, co-ordinating, ordering, etc.; if it is ‘technologies’ then it is the results of the development and application of understandings of the physical or human environment – the outpourings of the applied, natural, and human sciences.” (Italics added)

In an attempt to construct a minimalist core concept of regulation⁶⁴ Julia Black has mapped the decentred form of the concept in conventionalist terms, i.e. by looking how the concept is used in practice and ascribing the definition to what the community under consideration (in her case the English-speaking academic and policy community) identifies as ‘regulation’ (what regulation is used to mean in that particular community)⁶⁵.Such an approach avoids the problems of over- and under-inclusiveness that arise from de-contextualised, generalised abstractions used in essential (identifies central elements of the phenomenon and says that when they are present, then the phenomenon may be termed as regulation – ‘regulation is…’) and functional (based on the function that regulation performs in society – ‘regulation does…’) definitions⁶⁶.

Introduction 33

67 Black, Critical Reflections on Regulation, p. 12; Black, Decentring Regulation, p. 134-135.

The table where she has included the different uses of the concept perfectly visualises the way ‘regulation’ is expanding as a concept.

Even without further explanations it is useful because it in a compact form shows the different meanings and contents of the concept. Black uses the following five step classification of the different sets of meanings and application of the concept of regulation⁶⁷:

1. what is assumed regulation is (a type of legal instrument, process, an outcome, or a property);

2. who or what is performing it (state institutions, non-state institutions or actors, economic forces, social forces, or

‘technologies’);

3. what institutional or organizational form the regulation is assumed to take (e.g. ministries, supra- or international bodes, associations, firms, networks, market, norms, language);

4. with respect to what actors or areas of social life is it occurring (firms, markets, family, health, education etc.) and

5. how regulation is conducted, through what mechanisms, instruments and techniques (e.g. rules, taxes, trust, interaction of rational actors).

Regulating Secure Software Development 34

Table 1: Regulation – an ever expanding concept (A) What is regulation? (B) Who or Economic forces Market - economic

- any other

Table 1-1. Regulation – an ever expanding concept. Presented by Julia Black in Critical Reflections on Regulation, p. 12, and in Decentring Regulation, p. 134-135.

As Julia Black has noted, the way ’regulation’ is conceptualised depends heavily on the problem or issue that the writer is focussing

Introduction 35

68 Black, Critical Reflections on Regulation, p. 9 and 19; Black, Decentring Regulation, p. 141-3.

69 This is how Professor of law at Stanford Law School and the founder of the school’s Center for Internet and Society Lawrence Lessig, one of the most influential person behind the change of the legal culture of IT professionals towards the possibilities of regulation in cyberspace, uses the concept in making his argument for regulability of ’code’; eventually that ‘code is law’

(Lessig, Code and Other Laws of Cyberspace, Chapter 7 and Appendix; Lessig, The New Chicago School, p. 661-691). This different usage of concepts in Lessig’s work makes it really difficult for a lawyer to see the differences in law, regulation and governance. What Lessig is mainly talking about when he says that ‘code is law’ is some form of governance or regulation in the widest sense, not law in any strict sense. However, his aim is not conceptual preciseness but efficient rhetorics, and in that he succeeds with the analogy between code and law. However, this type of analogy makes it really difficult to discuss and critice his theses, as the notion made by Syme and Camp, Code as Governance, The Governance of Code, p. 24, of the flawfullness of the analogy code and law shows.

They consider the analogy flawed with the notion that a person has freedom to choose to bind herlself to a certain code, but in relation to law there is no such freedom. What is unseen is that in many other forms of governance or regulation (other than law) this kind of freedom exists. And this freedom exists even in relation to law, but in a more restricted sense and concerns only those with the ability to move from a jurisdiction to another (e.g., global enterpises).

on⁶⁸. The understanding of what regulation is dependent on what we want to do with it. If it is to serve as a descriptive device for an empirical investigation into what structures or constrains the behaviour of individuals, organizations, or systems, then a wide-ranging conception of regulation is needed⁶⁹. Such a definition would probably come close to embrace everything on the table above as being part of the concept of regulation. This turns almost all questions of social and political science into questions of ‘regulation’.

The purpose of this study being the examination of the possibilities

The purpose of this study being the examination of the possibilities

In document Regulating secure software development : analysing the potential regulatory solutions for the lack of security in software (sivua 77-89)