is now a software industry. And the products of every industry are vulnerable due
to software defects. In such a context, required software regulation includes:
• Transparency: the obligation to
investigate and report all exploits including their technical details.
•The prohibition of dangerous
practices, such as not using type-safe
languages and appropriate encryption.
•Holding companies accountable
for their unsafe practices.
These requirements need the
backing of legal regulations, because
market forces compel industry not to
invest in security too much. The market promotes a race to the bottom;
except in niche applications, whoever
is faster to market and cheaper wins,
and whoever is tardy due to excessive
investment in security loses. Regulation is the only way to level the playing field, forcing everybody to invest
in what they know to be needed but
think they cannot afford to do when
the competition does not.
Of course, it will not be easy to implement these ideas and agree on the myriad details that need to be settled. Who
gets to decide what is a “dangerous practice”? How do we deal with installed systems and legacy code? Who is charged
with enforcing compliance? Moreover,
it is not clear how to make this happen
at the political level. In addition, no
single country has jurisdiction over all
software production. So a system of certification is required to enable software
developers to identify reliable software,
and to perform due diligence in selecting what other software to use.
International frameworks already
exist demonstrating these issues can
be solved. The EU General Data Pro-
tection Regulation (GDPR), which con-
cerns the rights of individuals to con-
trol how their personal information is
collected and processed, is an encour-
aging example. Another example is
the Common Criteria for Information
Technology Security Evaluation, an in-
ternational framework for the mutual
recognition of secure IT products. But
this covers only high-level desiderata
for security, not the regulation of low-
level technicalities. This gap is partly
filled by the Motor Industry Software
Reliability Association (MISRA), which
has defined a set of suggested safe cod-
ing practices for the automotive indus-
try. However, these are not required by
any formal regulations.
Protracted discussions on what to
do and what we are willing to pay for
are counterproductive. Such things
cannot be planned in advance. Instead
we should learn from the iterative ap-
proach to constructing software: try to
identify the regulations that promise
the highest reward for the lowest cost,
work to enact them, learn from the pro-
cess and the results, and repeat.
Regulation is in the interest of the
long-term prosperity of the software
industry no less than in the interest of
society as a whole. Software vendors
with integrity should stop resisting
regulation and instead work to advance it. The experience gained will be
extremely important in discussing and
enacting further regulations, both in a
preemptive manner and—in the worst-case scenario—in the aftermath of a
1. Anderson, R. and Moore, T. The economics of
information security. Science 314, 5799 (Oct. 26,
2006), 610–613; https://bit.ly/2GctSYd.
2. Hoare, C.A.R. The emperor’s old clothes.
Commun. ACM 24, 2 (Feb. 1981), 75–83; DOI:
3. Patterson, D.A. 20th century vs. 21st century C&C: The
SPUR manifesto. Commun. ACM 48, 3 (Mar. 2005),
15–16; DOI: 10.1145/1047671.1047688.
4. Schneider, F. B. Impediments with policy interventions
to foster cybersecurity. Commun. ACM 61, 3 (Mar.
2018), 36–38; DOI: 10.1145/3180493.
5. Telang, R. and Wattal, S. An empirical analysis of the
impact of software vulnerability announcements on
firm stock price. IEEE Trans. Softw. Eng. 33, 8 (Aug.
2007), 544–557; DOI: 10.1109/TSE.2007.70712.
6. Vardi, M. Y. Cyber insecurity and cyber libertarianism.
Commun. ACM 60, 5 (May 2017), DOI:
7. Virginia Information Technologies Agency. Security
assessment of WINvote voting equipment for
department of elections. (Apr. 14, 2015); https://bit.
Dror G. Feitelson ( firstname.lastname@example.org) is the Berthold
Badler Chair in Computer Science at The Rachel and
Selim Benin School of Computer Science and Engineering,
The Hebrew University of Jerusalem, Israel.
Copyright held by author.
Regulation is in
the interest of
WSDM 2019: The 12th ACM
International Conference on
Web Search and Data Mining,
Melbourne, VIC, Australia,
Contact: Alistair M. Moffat,
PPoPP ‘19: 24th ACM SIGPLAN
Symposium on Principles
and Practice of Parallel
Contact: Jeff Hollingsworth,
FPGA ‘19: The 2019 ACM/SIGDA
Contact: Kia Bazargan,
HotMobile ‘19: The 20th
on Mobile Computing Systems
Santa Cruz, CA,
Contact: Alec Wolman,
February 25–March 3
SIGCSE ‘19: The 50th ACM
Technical Symposium on
Computing Science Education,
Contact: Manuel A. Perez-Quinones,
CHIIR ‘19: Conference on
Human Information Interaction
Glasgow, United Kingdom,
Contact: Martin Halvey,