Computer Security and Liability

Computer Security and Liability.

Information
insecurity is costing us billions. We pay for it in theft: information
theft, financial theft. We pay for it in productivity loss, both when
networks stop working and in the dozens of minor security
inconveniences we all have to endure. We pay for it when we have to buy
security products and services to reduce those other two losses. We pay
for security, year after year.

The problem is that all the money we spend isn't fixing the problem. We're paying, but we still end up with insecurities.

The problem is insecure software. It's bad design, poorly
implemented features, inadequate testing and security vulnerabilities
from software bugs. The money we spend on security is to deal with the
effects of insecure software.

And that's the problem. We're not paying to improve the security of
the underlying software. We're paying to deal with the problem rather
than to fix it.

The only way to fix this problem is for vendors to fix their
software, and they won't do it until it's in their financial best
interests to do so.

Today, the costs of insecure software aren't borne by the vendors
that produce the software. In economics, this is known as an
externality, the cost of a decision that's borne by people other than
those making the decision.

There are no real consequences to the vendors for having bad
security or low-quality software. Even worse, the marketplace often
rewards low quality. More precisely, it rewards additional features and
timely release dates, even if they come at the expense of quality.

If we expect software vendors to reduce features, lengthen
development cycles and invest in secure software development processes,
it needs to be in their financial best interests to do so. If we expect
corporations to spend significant resources on their own network
security — especially the security of their customers — it also needs
to be in their financial best interests.

Liability law is a way to make it in those organizations' best
interests. Raising the risk of liability raises the costs of doing it
wrong and therefore increases the amount of money a CEO is willing to
spend to do it right. Security is risk management; liability fiddles
with the risk equation.

Basically, we have to tweak the risk equation so the CEO cares about
actually fixing the problem, and putting pressure on his balance sheet
is the best way to do that.

Clearly, this isn't all or nothing. There are many parties involved
in a typical software attack. There's the company that sold the
software with the vulnerability in the first place. There's the person
who wrote the attack tool. There's the attacker himself, who used the
tool to break into a network. There's the owner of the network, who was
entrusted with defending that network. One hundred percent of the
liability shouldn't fall on the shoulders of the software vendor, just
as 100% shouldn't fall on the attacker or the network owner. But today,
100% of the cost falls directly on the network owner, and that just has
to stop.

We will always pay for security. If software vendors have liability
costs, they'll pass those on to us. It might not be cheaper than what
we're paying today. But as long as we're going to pay, we might as well
pay to fix the problem. Forcing the software vendor to pay to fix the
problem and then pass those costs on to us means that the problem might
actually get fixed.

Liability changes everything. Currently, there is no reason for a
software company not to offer feature after feature after feature.
Liability forces software companies to think twice before changing
something. Liability forces companies to protect the data they're
entrusted with. Liability means that those in the best position to fix
the problem are actually responsible for the problem.

Information security isn't a technological problem. It's an
economics problem. And the way to improve information technology is to
fix the economics problem. Do that, and everything else will follow.

This essay originally appeared in Computerworld.

An interesting rebuttal of this piece is here.   [Schneier on Security]

Leave a comment