Politics of Security

An interview with Lord Erroll entitled “The Politics of Security” caught my eye in the latest edition of Information Age. Erroll was behind the recent House of Lords Scientific and Technology Committee report on “Personal Internet Security.” In this latest interview, he adds some further context to the conclusions of said report.

It is illegitimate, says Erroll, for titanic software houses to sell a product to small businesses on the basis “that it’s a wonderful solution that will protect their business, and then when it doesn’t say, ‘Oh, I’m terribly sorry but it was your decision to buy it’”. Equally, he continues, a small provider offering downloadable freeware cannot be expected to compensate users if the product has flaws.

Eroding Microsoft’s dominance on the desktop would help improve the dynamics of security software development and delivery, he argues. If there were a large number of competing operating systems, the user could choose between high- and low-risk options. The point, he says, is that users do not have that choice and as a result are unable – and indeed offered no incentive – to make a risk assessment for themselves. “We’re just beyond the Model T Ford stage where IT security is concerned,” he adds.

I noticed that when the report was originally published, a security analyst from McAfee retorted with “security vendors only supply the tools, and it is up to businesses to deploy the tools effectively.” Yes, that’s true enough however, you’re unlikely to win many friends – or long term and repeat business – with that “the customer is in the wrong” attitude. Not only that, but why should it often be so difficult to meet the conditions of so-called “effective deployment” if the product was coded correctly or designed properly in the first place. Intellect, whose membership comprises most of the big names in the UK technology industry made their own statement on behalf of their members:

We don’t buy a car and then expect the manufacturer to pay up when it gets broken into.

That statement alone shows just how little respect the industry really has for the customer. No, we don’t blame the manufacturer when our cars get broken into but then it’s not really the same thing is it. If I go to a restuarant and get food poisoning I’ll certainly blame the chef. That’s a much better analogy in my opinion.

I agree with Erroll: vendors have a duty of care and I, for one, support the outcomes of the report.