Joel Brenner and David Clark remark on cybersecurity standards on Lawfare:
Liability for unsafe devices and tax incentives for qualified investment that increases security also need attention. We have no binding standards for the manufacture and use of insecure hardware and software, even for critical infrastructure. A private accreditation bureau, the “UL,” certifies that the cord on your toaster is safe, but there is no comparable body to certify that the controls being sold to a pipeline operator are safe and suitable for that use. Insurance carriers should support this effort. It was insurers, after all, who created the model. “UL,” or Underwriters’ Laboratory, began in 1894 to reduce fire insurance claims resulting from newfangled and often faulty electric devices.
(Bold mine.) Underwriter’s Software Labs (USL). It would require some work, but the damage costs it would save would dwarf the effort. Software components treated as things with a specific purpose – we could finally begin reversing the damage done by those software disclaimers that their software had no specific use and thus no warranty applied.
That always pissed me off, and while the software industry has no doubt grown, rather like a cancer, over the decades because it didn’t need to spend the time to ensure the software really worked, its reliability has been atrocious.
At best.
I envision customers specifying the required reliability and security ratings of their software, and then being able to shop for their components based on the ratings assigned to the components by USL. Devil would be in the details, though.
