10 Comments

Very informative.

Expand full comment
Feb 7, 2023Liked by Walter Haydock

Interesting retort and critique especially the risk management aspect. However Walter missed a clear cut opportunity to pin the tail on the root cause…Congress caving in to the Software Business Alliance lobbying effort to give the software industry a permanent waiver on the Universal Commercial Code’s warranty of merchantability and fitness for use requirements for their software products. They basically have ratified the bad business behaviors of software companies using their customers as crash test dummies without compensation or liability for damages. And OBTW neither free patches or gratuitous subscriptions to identity and credit protection is compensation.

Since you used the the analog of the Nation Highway Safety Administration and automobile safety…the difference is the automobile industry and almost all other consumer products industries are held accountable for damage if their respective products create a safety risk. As Ford about their Pinto gas tanks, Boeing about it 737 Max, GM about its Corvair, etc. The software industry assumes neither risk for it’s shabby vulnerable software nor accountability for the damages.

Expand full comment
author

Thanks, Robert. I frankly wasn't familiar with the waiver you described. And reversing it might help to enforce accountability throughout the software supply chain.

With that said, how would you establish a balance between allowing litigation and facilitating innovation? As we have seen with healthcare (although I know this is a slightly different situation), the inability to waive the right to sue has driven costs through the roof and made innovation challenging.

I don't know the right answer here but appreciate your perspective.

Expand full comment
Feb 7, 2023Liked by Walter Haydock

The balance between risk and inspiring innovation in IT/ICS/OT/cyber should be driven by the market place. The biggest software vendors have had unfettered access to business and consumer markets without risk of liability or accountability. Moreover, they foist unfunded maintenance and remediation costs onto users especially those in business and government whenever they issues patches and updates that tend to require user to test and update legacy systems servers and apps to work as advertised with new OS configurations. If these vendors were subject litigation and legal accountability for defective/vulnerable software the very risk management principles you cited in the article would tend to drive softer vendors’ behavior towards holistically securing their products. In the automotive industry recalls are significant motivation to manufacturers because the entire burden of cost falls on the manufacturers. Consumers, fleet managers, and dealers are indemnified from manufacturing defects. I think the analog fits the cyber domain and I can tell you the software industry lobby has a vise grip on Congress to retain the waiver of warranty of merchantability and fitness for use provision of the Universal Commercial Code.

Expand full comment

Sorry, I think the “transparency” approach is far superior to the liability regime you suggest. Mandating that software vendors tell consumers what they’ve done to secure the software we trust our lives to is the least intrusive gov’t intervention. And it’s the right one. It’s designed to fix the asymmetric information market failure and will let the market (not government) decide the right level of security.

Expand full comment
author

I hear what you are saying, but is the average consumer able to understand much about software security?

You could dump the entire source code, security program, compliance reports, etc. of a company on the internet, and less than 0.1% of the population would understand it to any meaningful degree.

But most people do understand "this company lost my SSN and now they need to pay a fine of $X."

In any case, the Easterly/Goldstein approach IS saying that the government should decide the right level of security...which it sounds like you are aligned with me on in saying that this is misguided.

Expand full comment

No, the government is saying you have be transparent. And I believe this is the right approach. I started talking about software security labels in 2004 and I’m thrilled it is happening.

A big misconception is that labels and transparency need to be understood by consumers. They don’t. Transparency regimes (drugs, cars, movies, energystar, and just about everything else) almost always affect producers first. They won’t go to market with a product that has “poison” on the label. That’s what we want.

You know why almost everything has labels? They work.

Expand full comment
author

"U.S. government can start by defining specific attributes of technology products that are secure by default and secure by design." - From the article.

That would seem to me to be the government deciding on the right level of security.

And regarding labeling, you left out the category with the biggest impact, BY FAR, on the average consumer: food.

The vast majority of food has nutrition labels on it. And the majority of Americans are overweight while a large minority are obese.

I don't view the current approach as "working."

Expand full comment

Seriously - before food labels the industry was producing basically poison. And the government doesn't decide what ingredients you can use (well, unless they're really dangerous)... basically you just have to disclose what's in there.

Expand full comment

You might like the position paper I submitted to NIST about their consumer labeling program. I studied a bunch of industries and how labeling programs worked to transform them - https://www.nist.gov/system/files/documents/2021/09/03/ContrastSecurity-NIST%20EO%20Labels%20PP.pdf

Expand full comment