dent Clinton warned of the insecurities
created by cyber-based systems and directed in 1998 that “no later than five
years from today the United States shall
have achieved and shall maintain the
ability to protect the nation’s critical
infrastructures from intentional acts
that would significantly diminish” our
security. 6 Five years later would have
been 2003.
In 2003, as if in a repeat performance of a bad play, the second President Bush stated that his cybersecurity
objectives were to “[p]revent cyber attacks against America’s critical infrastructure; [r]educe national vulnerability to cyber attacks; and [m]inimize
damage and recovery time from cyber
attacks that do occur.” 7
These Presidential pronouncements
will be of interest chiefly to historians
and to Congressional investigators who,
in the aftermath of a disaster that we
can only hope will be relatively minor,
will be shocked, shocked to learn that
the nation was electronically naked.
Current efforts in Washington to
deal with cyber insecurity are promising—but so was Sisyphus’ fourth or
fifth trip up the hill. These efforts are
moving at a bureaucratically feverish
pitch—which is to say, slowly—and
so far they have produced nothing
but more declarations of urgency and
more paper. Why?
Lawsuits and markets
Change in the U.S. is driven by three
things: liability, market demand, and
regulatory (usually federal) action. The
role and weight of these factors vary in
other countries, but the U.S. experience
may nevertheless be instructive transnationally since most of the world’s intellectual property is stored in the U.S.,
and the rest of the world perceives U.S.
networks as more secure than we do. 4 So
let’s examine each of these three factors.
Liability has been a virtually nonexistent factor in achieving greater Internet security. This may be surprising until you ask: Liability for what, and who
should bear it? Software licenses are
enforceable, whether shrink-wrapped
or negotiated, and they nearly always
limit the manufacturer’s liability to
the cost of the software. So suing the
software manufacturer for allegedly
lousy security would not be worth the
money and effort expended. What are
Deciding what level
of imperfection is
acceptable is not
a task you want
your congressional
representative
to perform.
the damages, say, from finding your
computer is an enslaved member of a
botnet run out of Russia or Ukraine?
And how do you prove the problem was
caused by the software rather than your
own sloppy online behavior?
Asking Congress to make software
manufacturers liable for defects would
be asking for trouble: All software is
defective, because it’s so astoundingly
complicated that even the best of it
hides surprises. Deciding what level
of imperfection is acceptable is not
a task you want your Congressional
representative to perform. Any such
legislation would probably drive some
creative developers out of the market.
It would also slow down software development—which would not be all bad if
it led to higher security. But the general
public has little or no understanding of
the vulnerabilities inherent in poorly
developed applications. On the contrary, the public clamors for rapidly
developed apps with lots of bells and
whistles, so an equipment vendor that
wants to control this proliferation of
vulnerabilities in the name of security
is in a difficult position.
Banks, merchants, and other holders of personal information do face liability for data breaches, and some have
paid substantial sums for data losses
under state and federal statutes granting liquidated damages for breaches.
In one of the best known cases, Heartland Payments Systems may end up
paying approximately $100 million as a
result of a major breach, not to mention
millions more in legal fees. But the defendants in such cases are buyers, not
makers and designers, of the hardware
and software whose deficiencies create
many (but not all) cyber insecurities.
Liability presumably makes these companies somewhat more vigilant in their
business practices, but it doesn’t make
hardware and software more secure.
Many major banks and other companies already know they have been
persistently penetrated by highly
skilled, stealthy, and anonymous adversaries, very likely including foreign
intelligence services and their surrogates. These firms spend millions
fending off attacks and cleaning their
systems, yet no forensic expert can
honestly tell them that all advanced
persistent intrusions have been defeated. (If you have an expert who will
say so, fire him right away.)
In an effective liability regime, insurers play an important role in raising
standards because they tie premiums
to good practices. Good automobile
drivers, for example, pay less for car
insurance. Without a liability dynamic,
however, insurers play virtually no role
in raising cyber security standards.
If liability hasn’t made cyberspace
more secure, what about market demand? The simple answer is that the
consuming public buys on price and
has not been willing to pay for more
secure software. In some cases the aftermath of identity theft is an ordeal.
In most instances of credit card fraud,
however, the bank absorbs 100% of the
loss, so their customers have little incentive to spend more for security. (In
Britain, where the customer rather than
the bank usually pays, the situation is arguably worse because banks are in a better position than customers to impose
higher security requirements.) Most
companies also buy on price, especially
in the current economic downturn.
Unfortunately we don’t know whether consumers or corporate customers would pay more for security if they
knew the relative insecurities of the
products on the market. As J. Alex Halderman of the University of Michigan
recently noted, “most customers don’t
have enough information to accurately
gauge software quality, so secure software and insecure software tend to sell
for about the same price.” 3 This could
be fixed, but doing so would require
agreed metrics for judging products
and either the systematic disclosure of
insecurities or a widely accepted testing and evaluation service that enjoyed
the public’s confidence. Consumer Re-