Badly written, insecure software products are hurting people and costing businesses and individuals billions of dollars every year, says David Rice, in his new book Geekonomics: The Real Cost of Insecure Software (Addison-Wesley Professional, 2007). Yet far from being penalized for it, software vendors have been rewarded with greater market share and profits because of the lack of accountability in the software industry, he says. In his book, Rice talks about the need for change in the software industry and how to bring about that change. Rice, president of the Monterey Group, a security consultancy in Monterey, Calif., is also an adjunct professor at James Madison University's Security Graduate Curriculum and has spent more than a decade working for the military on national security issues. In an interview, he talked about his book.
Why did you write this book? I wanted to tell a story of software that everybody can understand. One of the ways of doing that is not to talk about software from a security perspective but from a technology perspective. What are the incentives for manufacturers, what are the incentives for consumers, and what are the incentives for hackers?
You say that software products in general have had largely detectable and preventable security defects for the beginning. Why haven't vendors made their products more secure? In the software market, we have this problem of asymmetric information, which means the buyer doesn't always know what they are getting. Basically, they cannot distinguish between high- and low-quality software. They have no idea if what they are buying is nice quality or if what they are buying has been cobbled together. There is a pretty general theme going around that software is in a bad state. But I can't use that to say to Microsoft or to another vendor that "I am going to only pay you 10% of what you are asking for."
This isn't to vilify software manufacturers. Software manufacturers are doing what any manufacturer would try to do. It is not like they are deliberately trying to make crappy software or to screw people over. They are just trying to do what they need to do to maximize their own profits. They really don't have any meaningful incentive to look out for you. So you can have Trustworthy Computing, or you can have a certain vendor say they are "unbreakable." But when they are wrong, they just kind of shrug their shoulders. There's no punishment for being wrong.
How do you get software vendors to write more secure software? From a high level, what we need to do is to make it more expensive for people to produce low-quality software. Markets give us what we want, not what we need. So if we don't want security, we are not going to get it. I would argue that most of us do, indeed, want security in our software. We do want safety. We just can't distinguish it when it isn't there. We kind of know it's not there, but we don't know how much isn't there. So it is very difficult for us to price it.
But how do you price vulnerabilities? This is open for debate. But one mechanism potentially is to price vulnerabilities like you price carbon emissions. So short of legal liability, short of government interventions, what you can say is [the government] is not going to get directly involved. But for anything that a U.S.-CERT or an Australian-CERT or someone like that identifies as a vulnerability, you are going to get taxed a certain amount. Let's just say all vulnerabilities are created equal just to simplify this discussion. It is impossible to create software that is devoid of defects. So what we are saying is vulnerabilities are an inevitable part of software development and we are not expecting perfect software. But we are expecting a reduction in the emission of vulnerabilities. Then what happens is vendors get taxed a certain amount, maybe $100,000 or something like that, per vulnerability. Now, all of a sudden, you have an incentive -- because now vendors have to pay for the cost of emissions. It basically means that costs [that have] never been associated with the outcome of their products now [have] to be accounted for. Any good company would say, "I need to reduce my production costs." But the cost of fixing the vulnerability has to be less than the price of the vulnerability. What we get then is a pretty good situation, because the vendor can now price security, the market can now price security and so can the consumer.
The complexity comes from the fact that all vulnerabilities are not equal. Some are not so serious; some are absolutely critical. So there's a subjective aspect to consider. This is all nascent in terms of how we are trying to figure things out. But the vulnerability pricing model is an interesting thing to explore.
What do consumers need to know about software security? Security has to be made more visible in some way. Right now, it isn't. The quality or safety of a vehicle isn't all that obvious to a buyer either. [If] I walk up to a car and it's a Toyota, I might guess it's a safe car. I might not. So what the National Highway Traffic Safety Administration has done is basically assign a five-star rating system for vehicles. A consumer can walk up to a car and say, "Five stars are better than four stars. I have a family, and I am going to choose five stars." That has made safety more visible to the consumers, so they can price it. What that means is that it is actually more expensive for a manufacturer to produce a low-quality car, because they are not going to sell as many cars as a five-star manufacturer. Arguably, making a safe car is much more expensive in terms of production cost than a one-star-rated car, but the market goes against the manufacturer if they choose to make a one-star-rated car.
With software, [the situation] is completely inverted. It is actually incredibly inexpensive for me to make a low-quality product and get rewarded for it by the market because no one can distinguish good-quality software in the market.
What would a five-star rating system look like in the software context? It still needs to be worked out. It is easy to talk about cars because we sort of intuitively understand that. But software is more complex. What really is required is some sort of an objective measurement that either industry comes up with or the government comes up with in combination with industry -- something that people can actually wrap their heads around. It doesn't have to be a five-star rating; it just has to be some sort of consistent and measurable information source that is easily consumable by people. It isn't an easy problem to solve. But it is not impossible. There needs to be more fire under the pot.
Why hasn't that happened? When we look at the auto manufacturer market, it wasn't just government regulations that compelled auto manufacturers to change. It was the removal of the doctrine of privity, which basically shielded auto manufacturers from any third-party claims. Auto manufacturers distributed their cars to dealers who then sold the cars to consumers. There was a third-party involved. So the consumer couldn't go to the manufacturer and say, "Hey, you just built a car that killed my family," because the doctrine of privity shielded the manufacturer from any type of liability.
When you look at the software industry right now, the shielding from liability and accountability is truly almost unprecedented. If you buy software, you are left literally holding a big huge bucket of risk. You don't know what you really have. In the auto market, you have pretty clear distinctions between what the driver is responsible for, what the community is responsible for and what the manufacturer is responsible for. It's the counties and the states that get to keep the roads up. You have the driver who has got to be sober and physically capable of driving, and then the manufacturer who makes the car responsible for its safety. With software, almost all liability, all accountability, any failure that happens whatsoever is really the buyer's fault at this point. We have seen almost no tort growth when it comes to software, and that is also kind of unprecedented. It really is amazing, this lack of response from the legal system. It goes back to this immense shielding of software manufacturers.
Who needs to take the next step? You are probably going to see some furtive steps on the part of government. In general, [government officials] have done a really good job of informing manufacturers that these are the sort of practices [they] want [them] to follow. Maybe [there will be] a little more tort action when people start realizing that the liabilities being imposed on them [are] really unreasonable. It took probably 20 years before the [privity] doctrine was finally removed in the auto industry. So you are probably going to see the same kind of really slow growth in the software industry as well.
Can't government use its buying power to force software vendors to make products more secure? The problem with the argument about the buying power of the government is that it is not nearly as compelling as one might think. When you are look at the global IT market, you are looking at about a total expenditure of about $1 trillion annually. If all of government brings [its] buying power together, that's about $70 billion. In the larger scheme of things, that is under 10% of the market. Software manufacturers can say the U.S. government is pretty big, that it has a huge economy and is a consistent buyer. But in general, it still is only about 7% of the global IT market. There are still a lot of options for plenty of other buyers that software vendors can go to. So if you look at it, you have to bring more weight to bear.
The government has so far only used its "soft" power in the software market. It really has been more about, "Let me hold your hand and show you how to build better software," and "I don't want to punish you if you don't." The more negative power is where you say, "If you don't do this, we are going to punish you." The common criteria [Evaluation Assurance Level 4] (EAL-4) rating was intended to do this. The government said, "If you don't meet the common criteria requirement, we are not going to buy from you." But what has happened is that even EAL-4 has not helped the market as much as one would think. The EAL-4 rating system by itself has done nothing. We have seen 14 nations adopt EAL-4 ratings, and yet cybercrime and cyberespionage have reached unprecedented levels. Some of it is because of some certain stupid things that users do. But cybercriminals are targeting vulnerabilities. That's how they get malware on machines, that's how they are siphon off the data, that's how they put up these pop-up ads and these overlays over banking Web sites. They do this by exploiting software vulnerabilities, and EAL-4 has done nothing to stop it.
What is the answer then? What we have to do is to invert the market and make it more expensive to create bad software. How we go about it, again, is through a combination of licensure on software developers, tort liability, maybe a little bit of government intervention -- maybe directly in terms of some sort of pricing mechanisms like carbon emissions. There is no really clear path forward. Maybe the problem is there are not enough smart people talking about it.