At a Federal Trade Commission hearing on Wednesday, Malcolm Harkins, chief security and trust officer at Cylance, will pitch his pet idea: The government should hold companies that make security software — like his — accountable.

The big picture: Harkins is hoping the FTC will require companies to "disclose all of the controls that failed" during a breach — from the security flaws exploited by hackers to the security products that didn't capture them.

  • "Do what the FAA does. They report the primary cause of the problem, like a broken wheel, and all of the contributing factors that didn't stop it," Harkins told Codebook.

To be clear, this isn't the type of idea the FTC usually goes for. The FTC's regulatory powers are largely based on its mandate to fight unfair practices — in cybersecurity that means deceptive claims of privacy protection. It's not an IT advice shop.

  • "The FTC has historically been averse to specifying security measures or products that a company should employ," noted Julie O'Neill, former FTC staff attorney and current privacy and data security partner at Morrison & Foerster.
  • That doesn't make it any less interesting an idea for someone, somewhere to run with.

Why it matters: If Harkins' idea ever gets adopted, we'd know a lot more about blind spots in breach prevention.

  • Organizations typically use multiple security products designed to thwart breaches at different points in the process — one product may detect strange computers trying to log in, another might detect malicious code being run, and a third might detect data being stolen.
  • But when the public hears about breaches, while we might learn about the initial entryway into the network, we don't tend to hear about why none of those products halted the hackers' progress.
  • Harkins compared it to how the government intercedes when there's trouble with automobile parts. "Takata was crucified," he said of the airbag maker forced into a massive recall. "Why aren't we crucified?"

That doesn't mean breaches always result from problems with products. But a company whose product roster matches that of a breached competitor might want to know how that combination failed.

  • This would be a good way to identify less capable systems or show how to improve capable ones.
  • If companies have clear gaps in their security product systems, knowing their negligence would be exposed might motivate some action.

Security vendors would almost definitely push back against any such scheme, as has happened whenever Harkins has brought up his idea in the past.

  • Vendors argue that breaches that circumvent their products often happen thanks to factors beyond their control: misconfigured software, poorly trained IT staff, other user error.
  • Harkins has a different explanation for the resistance: "They're embarrassed about major breaches they didn't prevent. And they should be."

The bottom line: The security industry is not at a point where it's comfortable with the message that "even the best products staffed with the best people will occasionally fail" — nor is the public ready for that nuance.

Go deeper

29 mins ago - Podcasts

The fight over fracking

Fracking has become a flashpoint in the election's final week, particularly in Pennsylvania where both President Trump and Joe Biden made stops on Monday. But much of the political rhetoric has ignored that the industry has gone from boom to bust, beset by layoffs, bankruptcies and fire-sale mergers.

Axios Re:Cap digs into the state of fracking, and what it means for the future of American energy, with Bob McNally, president of Rapidan Energy Group.

Democrats sound alarm on mail-in votes

Photo: Mark Makela/Getty Images

Democrats are calling a last-minute audible on mail-in voting after last night's Supreme Court ruling on Wisconsin.

Driving the news: Wisconsin Democrats and the Democratic secretary of state of Michigan are urging voters to return absentee ballots to election clerks’ offices or drop boxes. They are warning that the USPS may not be able to deliver ballots by the Election Day deadline.

Nxivm cult leader Keith Raniere sentenced to life in prison

Carts full of court documents related to the U.S. v. Keith Raniere case arrive at the U.S. District Court for the Eastern District of New York in May 2019. Photo: Drew Angerer/Getty Images

Nxivm cult leader Keith Raniere, 60, was sentenced to 120 years in prison on Tuesday in federal court for sex trafficking among other crimes, the New York Times reports.

Catch up quick: Raniere was convicted last summer with sex trafficking, conspiracy, sexual exploitation of a child, racketeering, forced labor and possession of child pornography. His so-called self-improvement workshops, which disguised rampant sexual abuse, were popular among Hollywood and business circles.