The legendary Bruce Schneier doesn’t see much happiness for the customers of the software industry unless government steps in:
The only way to force companies to provide safety and security features for customers and users is with government intervention. Companies need to pay the true costs of their insecurities, through a combination of laws, regulations, and legal liability. Governments routinely legislate safety — pollution standards, automobile seat belts, lead-free gasoline, food service regulations. We need to do the same with cybersecurity: the federal government should set minimum security standards for software and software development.
In today’s underregulated markets, it’s just too easy for software companies like SolarWinds to save money by skimping on security and to hope for the best. That’s a rational decision in today’s free-market world, and the only way to change that is to change the economic incentives.
Which aligns with my long-held view that software should always have a substantial warranty on it, and that the old “this software is not warranted for any particular use” was a scam and should have been made illegal. If we’re going to run a capitalist economy, then it’s necessary that costs of insecurity flow to the responsible party where possible – and while out ‘n out malefactors are not always found and prosecuted, and often can’t pay the piper, the companies selling insecure software can pay for it.
And, because they want bigger profits, they have a motivation to fix their damn software. No surprise here, right?
The question is how far are we going to have to go to create secure software, because products are delivered on the shoulders of other products: operating systems, compilers, software libraries proprietary and free, and all vulnerable to insecurities. As I’ve mentioned before, we need a software equivalent to Underwriters Laboratories (UL), which tests consumer hardware, such as can openers, for safety issues.
On the other hand, it strikes me that I may be pushing the UL analogy too far. After all, UL works on assuring bad designs don’t make it out into the world, while the software problem involves malevolent outside forces attempting to take advantage of mistakes in software design.
There is a difference, and it may affect how we should approach the problem. For example, perhaps these same companies should be permitted to sue the people taking advantage of software flaws, and, if successful, perhaps attach some percent of their incomes for the rest of their lives.
That might get their attention.
In any case, motivation of those producing the software is the key here. As Schneier points out, there’s currently little motivation for producing secure software; time to market and gimmick gimmick gimmick are the leading lights of the software producers. This has to change.
