2005 has begun »
« I’ve been neglecting this…

Security Liability Laws are NOT the Answer

Bruce Schneier’s latest opinion piece in ComputerWorld entitled Make Vendors Pay For Security Flaws is correct on premise but flawed on proposed solutions. We should make vendors pay for security flaws, but increased liability law is not the asnwer. IT managers need to learn to vote with their feet.

Mr. Schneier argues several good points. He first points out that it is mostly the consumer or the IT department that shoulders that burden of security, and the consequences of bad software security. He illustrates that software vendors have no financial incentive to make more secure products. But there are two points that I’m sure he is wrong about. I don’t believe that the end consumer should burden the cost, and I don’t believe that security liability laws are an effective solution.

[edit]Bruce has posted his article on his Schneier on Security blog, and was kind enough to link back to this rebuttal. Please click here for more discussion on the topic.[/edit]

Although I disagree, Bruce does make a good point about the end consumer picking up the cost no matter what the solution. His argument is to shift the burden from the consumer to the vendor, but that the vendor will ultimately pass off the additional cost of development back to the consumer. But there are a couple of problems with this theory.

First of all, it makes the premise that good security is something that comes after the fact. His argument supports the “build it first, put security on later” mentality. This is a very dangerous premise, and I don’t believe any good can come from it. Sadly, it does seem to be prevalent in the industry. As an industry, we need to focus more on security at all points of development. The programmer needs to have it in the back of his head at all times. It takes a lot more time to do something incorrectly and go back and fix it, then it does to do it right the first time.

But the biggest problem that I have with this premise, is that the consumer ends up paying extra for something that should be there in the first place. It takes the attitude that security is an added feature. If we have that attitude, no wonder we have software security problems.

Bruce’s call for software liability law is a dangerous premise indeed. Most countries (especially the US) are in dire need of tort reform as it is. Liability law would push up legal fees and insurance fees and do the end user no good. Laws of this nature almost inevitably stifle innovation and prevent growth. Even without presenting issues, the cost of doing business rises exponentially. Smaller and innovative companies fold because they can’t afford the added fees, allowing the larger companies to deepen their monopolistic stranglehold of the industry. Not only that, but you still haven’t taken care of the issue. Those high-volume software vendors are still looking at their huge profit margins, and they’re going to take a gamble. What’s $1 million in liability concerns for a $5 billion product line? In order to make an effect, you need to have huge damage settlements that probably go well beyond the 8th amendment. This just leads to a never ending cycle. You reduce competition brought on by smaller companies, thereby increasing the profit margins of the larger companies. You take away a potentially secure alternative, while simultaneously removing the incentive for the larger companies to provide more secure software.

The real way to wake vendors up and get them focusing on security is to make sure and get them where it counts — the bottom line. IT managers need to vote with their feet… pick software solutions from vendors with proven security records, or demand that security be in place before they purchase. Let the market do the work, not the lawyers. In some ways we’ve seen this at work already. After subsequent warnings from various organizations about IE vulnerabilities, Microsoft is seeing a defined drop in browser market share. The correct message to send software vendors is the one that tells them we’re not even going to buy it if it isn’t secure.

But there’s another force out there that, believe it or not, is going to drive the security issue a lot harder than before. That is Sarbanes-Oxely. With hundreds of IT managers currently self-auditing applications in time to get them fixed and certified for the SEC in order to avoid fines, you’re going to start to see an almost immediate shift. Applications security is a high-point, particularly around users and passwords. As managers sort through the mess, their making a mental checklist of new questions and requirements to ask of software vendors. Why are these passwords stored in plain text in the database? Why can’t this application lock out users after 3 failed password attempts? Why does the program accept a single-character as a valid password? You may laugh, but I’ve had too much personal experience with this kind of nonsense to be joking. And I guarantee you that the next application that I install is going to have these security features out of the box, or the vendor is going to put them in before I buy. And another thing… don’t let that vendor charge you for an upgrade that every one else with that application wants and needs. You do the vendor a favor by letting them develop it on your time so they can charge others.

This entry was posted on Monday, November 1st, 2004 at 8:16 PM and is filed under Observation Deck, Personal. You can follow any responses to this entry through the RSS 2.0 feed. Both comments and pings are currently closed.

7 Responses to “Security Liability Laws are NOT the Answer”

Ed C. Says:

Greg, I really liked you rant and I agree with what you say. Security needs to be designed in from the beginning and consumers (including, and especially, large corporations).

November 2nd, 2004 at 9:58 AM
israel torres Says:

… build your church on sand and only faith can hold it from falling apart… for it is the faithless that get blamed and such must stop.

Israel Torres

November 3rd, 2004 at 5:16 PM
zdw Says:

I think that your opinion on this issue depends on the weight of the problem. If you consider software security to be on the level of say, automobile safety, rather than graffiti, then Bruce is correct. Regulation is necessary for some things (the aforementioned car safety, drug and food safety, etc.) but not for other things (anyone can sell you a misbehaving VCR). The difference is where you draw the line.

November 3rd, 2004 at 5:54 PM
Gregory Haase Says:

Personally, I think my opinion suffers from having a lot of foresight and perhaps a touch of tin-foil hat. I refuse to accept your analogy. Comparing hard or durable goods such as automobiles or pharmaceuticals to soft goods such as software is like comparing apples to oranges. It takes millions of dollars in research and development, equipment costs, testing, etc in order to bring a car or a drug to market. Where application development can occur solely on an investment in personal time. For example, 5 guys from around the world can decide to create an application, use CVS repositories from sourceforge, use equipment they already own, and can build wonderful and viable applications. Ask 5 guys to get together and build a car using nothing but resources that are already available, and I don’t think they’re going to get very far. For one thing, they’re going to have to crash test the thing, and then basically start again from scratch. Compare that to crash testing an application, where again, you can do it with only a time investment.

Of course, if 5 guys could get together and build a car and bring it to market with no investment, then I’m pretty sure that the world would have Open Source car technologies. We’d probably all get much better mileage, but all suffer when we need to change the fuel source and find that section of the manual hasn’t been written yet.

Yes, I agree… the difference is where you draw the line. But where would you draw it? How about critical services. In fact, let’s talk about web servers, since without them we probably wouldn’t be picking up all these nasty little viruses in our web browsers. Right now you have two major players in the market. According to Netcraft Apache holds close to 68% of webservers, and IIS holds over 21%. Now lets assume that Bruce’s proposed liability law is put in place. Since Apache is open source, it’s financials rely solely on donations and individual member investments. IIS, on the other hand, belongs to Microsoft. Now, under our new liability laws, all it would take to snow Apache under would be 5 - 10 completely bogus legal claims against it. They would be completely crippled just trying to get those cases thrown out. Microsoft could and would do nothing (except maybe connect investors to start-up companies whose sole profit model is sue Apache). Now Apache is gone. Suddenly almost 68% of the webserver market is shopping for a new web server. While some of these companies are already using Microsoft Servers and can make an easy switch, a lot of them are not only going to have to replace their webserver, but also their server OS. Microsoft will make an incredibly fat margin on such a deal. So much so, that would have little need to worry about this security liability law.

Now, I don’t think that would actually really happen, but it’s possible. Hell, after following “SCO vs World” for a year and half now, I wouldn’t be that suprised.

But where the world really suffers is not so much there, but in software innovation and development in general. What happens to the more than 90,000 projects on SourceForge.net. What about other great open source applications that businesses both small and large can’t live without? What the hell would we do without BIND. This topic is security focused… who doesn’t want namp and nessus. I got an idea… lets create a security liability law that puts security tools in jeopardy.

No, I’m not saying that Bruce’s idea is really bad. At first glance, it’s a solid idea. But like many laws and initiatives out there, I think it’s a bit short-sighted. It takes a bit of the “cut off the nose to spite the face” attitude towards software. When proposing things of this magnitude, it helps to think objectively about the future and look at it from both sides. You can’t just past consumer initiatives without looking at how it impacts the manufacturer. You have to work up some scenarios in your head and look at all the pros and cons. When I first starting reading the article, I thought it was a good thing too. It would be really nice to not have to worry about shotty code and faulty security. Particularly when it’s imbedded in the very development tools we all use to create additional software products. But as I stated earlier, where would you draw the line?

November 3rd, 2004 at 8:47 PM
Schneier on Security Says:

Computer Security and Liability
Information insecurity is costing us billions. We pay for it in theft: information theft, financial theft. We pay for it in productivity loss, both when networks stop working and in the dozens of minor security inconveniences we all have to…

November 4th, 2004 at 1:13 PM
Emergent Chaos Says:

Corporate governance goals impossible
There’s a fascinating article in the Register about the impact of new rules: In some cases, the law has made IT managers legally responsible for adherence to corporate governance rules. Colao says that this may not necessarily be a…

November 7th, 2004 at 12:36 PM
Davi Ottenheimer Says:

Agreed. Legislation like SOX and AB1950 will continue to make a huge difference. Increased demand for security among new generations of consumers will help as well. But legislation works both ways. Remember when Reagan opposed airbags because he said it would hurt the U.S. car makers? Only consumer demand was left standing once the government was pandering to large corporate lobbyists.

November 8th, 2004 at 1:19 PM