Make suppliers take responsibility

In a further extract from his book, computer security expert Bruce Schneier looks at where to apply pressure to improve products

In a further extract from his book, computer security expert Bruce Schneier looks at where to apply pressure to improve products

We know how to build much more secure operating systems. We know how to build more secure access control systems. We know how to build more secure networks.

Certainly, there are still technological problems and research continues, but in the real world, network security is a business problem. The only way to fix it is to concentrate on the business motivations. We need to change the economic costs and benefits of security to put organisations in the best position to fix the problem. To do that, I have a three-step programme. None of the steps has anything to do with technology, they are all about businesses, economics and people.

Step one:enforce liabilities

There are no real consequences for having bad security or having low-quality software. Even worse, the market often rewards low quality.

If we expect software suppliers to reduce features, lengthen development cycles and invest in secure development processes, they must be liable for security vulnerabilities in their products.

And if we expect chief executives to spend on network security, especially the security of their customers, they must be liable for mishandling their customers' data. We have to tweak the risk equation so the chief executive cares about fixing the problem. And putting pressure on the balance sheet is the best way to do that.

Legislatures could impose liability on the computer industry by forcing software manufacturers to live with the same product liability laws that affect other industries.

If software manufacturers produced a defective product, they would be liable for damages. Even without this, courts could start imposing liability-like penalties on software manufacturers. This is starting to happen.

Step two: allow liability transfer

This will happen automatically, because chief executives turn to insurance companies to help them manage risk, and liability transfer is what insurance firms do. From the chief executive's perspective, insurance turns variable-cost risks into fixed-cost expenses that can be budgeted.

Insurance companies will drive the computer security industry, just as they have done in the bricks-and-mortar world.

Step three: provide mechanisms to reduce risk

Once insurance companies start demanding real security in products, this will result in a sea-change in the computer industry. Insurance companies will reward those that provide real security, and punish those that do not. Security will improve because the insurance industry will push for improvements, just as it did in fire safety, electrical safety, bank security and other industries.

Order the book online at 
(ISBN 0471253111)

Read more on Hackers and cybercrime prevention