A reader comments on the problems of cyber-insurance:
There’s a problem there, even several of them. But if Zurich said Mondelez was covered, then Zurich should pay up — regardless of how hard it is for their actuaries to calculate the risk. Don’t write a policy if you cannot or will not back.
I think that Zurich argued this was an act of war, not covered under the policy.
As for insuring software and/or holding the creators of an application liable — that’s a really tough nut to crack. Software is complex. Even using the very best development and testing methodologies, it’s impossible to prove correct.
And most people are unaware of those methodologies, and many of them cost extra money up front to implement. There’s constant research and change in what is thought to be the best methods, too. I’ve learned more about good software development in the last 10 years of my career than in the first, ah, 30. (good god, I’m old)
That’s just the software. Then there’s implementation, administration, monitoring, etc. Oh, and actually, it’s the systems of software applications which usually lead to security breaches, in my experience. That is to say, not one program/application’s fault, and hence, not one responsible party. Security is all about the layers of the onion, as they say.
I understand my reader’s remark about the complexity of developing software and software development methodologies and how they’ve changed over the years – but I have to wonder if they would have evolved faster, and into a more effective form, if the threats of responsibility had been hanging over the heads of the companies that produced them. Presently, changes (I hesitate to say “improvements,” as we’re going through a change to our processes at my employer) are driven by concerns about profitability, time-to-market, and satisfying the customers’ requirements – and I don’t care to include “security concerns” under “customers’ requirements,” because of the difficulty in evaluating & comparing various products’ security.
And, ideally, that shouldn’t be necessary. How many people think it’s appropriate that, when buying a sofa, the customer should be checking out the safety record of each brand of sofa? While a libertarian would no doubt have their hand up in the air at this juncture, they’re ignoring the concept of irremediable harm and the fact that we know how to build sofas that are safe from collapse, spontaneous combustion, etc.
I’m not claiming that we know how to write perfectly secure software, either – but I’m saying that this very hard thing to do should be our goal. We need to put together a vision of the ideal and then begin modifying the reality of the software world towards it. And if it’s necessary to get the attention of the software industry by hanging a sword over their head, then maybe we should do that because the alternatives, due to our growing dependency on computing, can be fairly horrific, from efficient logistics to nuclear plant meltdowns, from business bankruptcies to compromising information held on politicians.
Ugh. Sometimes the software industry just annoys me.
