In a further extract from his book, computer security expert Bruce
Schneier looks at where to apply pressure to improve products
We know how to build much more secure operating systems. We know
how to build more secure access control systems. We know how to
build more secure networks.
Certainly, there are still technological problems and research
continues, but in the real world, network security is a business
problem. The only way to fix it is to concentrate on the business
motivations. We need to change the economic costs and benefits of
security to put organisations in the best position to fix the
problem. To do that, I have a three-step programme. None of the
steps has anything to do with technology, they are all about
businesses, economics and people.
Step one:enforce liabilities
There are no real consequences for having bad security or having
low-quality software. Even worse, the market often rewards low
quality.
If we expect software suppliers to reduce features, lengthen
development cycles and invest in secure development processes, they
must be liable for security vulnerabilities in their products.
And if we expect chief executives to spend on network security,
especially the security of their customers, they must be liable for
mishandling their customers' data. We have to tweak the risk
equation so the chief executive cares about fixing the problem. And
putting pressure on the balance sheet is the best way to do
that.
Legislatures could impose liability on the computer industry by
forcing software manufacturers to live with the same product
liability laws that affect other industries.
If software manufacturers produced a defective product, they would
be liable for damages. Even without this, courts could start
imposing liability-like penalties on software manufacturers. This
is starting to happen.
Step two: allow liability transfer
This will happen automatically, because chief executives turn to
insurance companies to help them manage risk, and liability
transfer is what insurance firms do. From the chief executive's
perspective, insurance turns variable-cost risks into fixed-cost
expenses that can be budgeted.
Insurance companies will drive the computer security industry, just
as they have done in the bricks-and-mortar world.
Step three: provide mechanisms to reduce
risk
Once insurance companies start demanding real security in products,
this will result in a sea-change in the computer industry.
Insurance companies will reward those that provide real security,
and punish those that do not. Security will improve because the
insurance industry will push for improvements, just as it did in
fire safety, electrical safety, bank security and other
industries.
Order the book online at www.wiley.com
(ISBN 0471253111)