Thanks, Robert. I frankly wasn't familiar with the waiver you described. And reversing it might help to enforce accountability throughout the software supply chain.
With that said, how would you establish a balance between allowing litigation and facilitating innovation? As we have seen with healthcare (although I know this is a slightly different situation), the inability to waive the right to sue has driven costs through the roof and made innovation challenging.
I don't know the right answer here but appreciate your perspective.
I hear what you are saying, but is the average consumer able to understand much about software security?
You could dump the entire source code, security program, compliance reports, etc. of a company on the internet, and less than 0.1% of the population would understand it to any meaningful degree.
But most people do understand "this company lost my SSN and now they need to pay a fine of $X."
In any case, the Easterly/Goldstein approach IS saying that the government should decide the right level of security...which it sounds like you are aligned with me on in saying that this is misguided.
"U.S. government can start by defining specific attributes of technology products that are secure by default and secure by design." - From the article.
That would seem to me to be the government deciding on the right level of security.
And regarding labeling, you left out the category with the biggest impact, BY FAR, on the average consumer: food.
The vast majority of food has nutrition labels on it. And the majority of Americans are overweight while a large minority are obese.
Seriously - before food labels the industry was producing basically poison. And the government doesn't decide what ingredients you can use (well, unless they're really dangerous)... basically you just have to disclose what's in there.
Thanks, Robert. I frankly wasn't familiar with the waiver you described. And reversing it might help to enforce accountability throughout the software supply chain.
With that said, how would you establish a balance between allowing litigation and facilitating innovation? As we have seen with healthcare (although I know this is a slightly different situation), the inability to waive the right to sue has driven costs through the roof and made innovation challenging.
I don't know the right answer here but appreciate your perspective.
I hear what you are saying, but is the average consumer able to understand much about software security?
You could dump the entire source code, security program, compliance reports, etc. of a company on the internet, and less than 0.1% of the population would understand it to any meaningful degree.
But most people do understand "this company lost my SSN and now they need to pay a fine of $X."
In any case, the Easterly/Goldstein approach IS saying that the government should decide the right level of security...which it sounds like you are aligned with me on in saying that this is misguided.
"U.S. government can start by defining specific attributes of technology products that are secure by default and secure by design." - From the article.
That would seem to me to be the government deciding on the right level of security.
And regarding labeling, you left out the category with the biggest impact, BY FAR, on the average consumer: food.
The vast majority of food has nutrition labels on it. And the majority of Americans are overweight while a large minority are obese.
I don't view the current approach as "working."
Seriously - before food labels the industry was producing basically poison. And the government doesn't decide what ingredients you can use (well, unless they're really dangerous)... basically you just have to disclose what's in there.
You might like the position paper I submitted to NIST about their consumer labeling program. I studied a bunch of industries and how labeling programs worked to transform them - https://www.nist.gov/system/files/documents/2021/09/03/ContrastSecurity-NIST%20EO%20Labels%20PP.pdf