Ars Technica on Liabilities and Computer Security
Good article:
Halderman argued that secure software tends to come from companies that have a culture of taking security seriously. But it’s hard to mandate, or even to measure, “security consciousness” from outside a company. A regulatory agency can force a company to go through the motions of beefing up its security, but it’s not likely to be effective unless management’s heart is in it.
This is a key advantage of using liability as the centerpiece of security policy. By making companies financially responsible for the actual harms caused by security failures, lawsuits give management a strong motivation to take security seriously without requiring the government to directly measure and penalize security problems. Sony allegedly laid off security personnel ahead of this year’s attacks. Presumably it thought this would be a cost-saving move; a big class action lawsuit could ensure that other companies don’t repeat that mistake in future.
I’ve been talking about liabilities for about a decade now. Here are essays I’ve written in 2002, 2003, 2004, and 2006.
Richard Steven Hack • July 27, 2011 7:57 AM
It would be nice if civil liability were an issue for the entire IT industry in terms of usability and reliability as well as security.
In fact, it would be nice if the “we bear no responsibility for anything because our product is total crap – and by the way you don’t even own it” EULAs were grounds for civil liability.
The bottom line: None of this is going to happen as long as Microsoft, Apple, Oracle and other multi-score-billion-dollar companies make massive campaign contributions to politicians.
Just as Congress will never loosen the overly restrictive intellectual property laws because the even LESS massive entertainment industry has paid them off to make sure that never happens.
You want liability for insecure software? Start by demanding Congress pass a law outlawing all campaign contributions by corporations of any kind on any level – city, state and Federal.
Which might also at least make one small step to preventing the military-industrial complex, the oil industry, the financial services industry, and the banking industry from running the US Congress as their errand boys. The current President of the United States is an errand boy for the Crown and Pritzker families in Chicago, nothing more. Which is why we’re in – and will stay in – Iraq, Afghanistan, Yemen, Somalia, Libya and heading for Pakistan and Iran.
Naturally, the odds of getting any such legislation through are approximately zero point zero.
Bottom line: The software industry, let alone any of these other industries, are not going to change – ever. And neither is the US Congress or the electorate who puts these scum into office every four years.
“There is no security” is a meme which is dependent on a number of far, far lower level memes that deal with the real world.
Suck it up.