Communications of the ACM

try to take the required actions. 1, 6 Buyers will not pay a premium for value ( security) they cannot measure, and which in many cases does not affect them personally and directly. Approaches suggested by economists to measure the value of protection do not help because the cost of a security catastrophe is up to anyone’s imagination. This has prevented an insurance industry for software producers from emerging, and as Anderson and Moore write, “if this were the law, it is unlikely that Microsoft would be able to buy insurance.” 1 In practice, the reduction in stock value after disclosing a vulnerability is less than 1%. 5 The abstract danger of large-scale attacks leading to financial loss and even loss of human life is not enough to change this.

At the same time, we are inundated by increasing numbers of reports of data breaches and hackers infiltrating various systems (see Table 2 for prominent recent examples). Some of these incidents demonstrate that extensive physical civil infrastructures are at peril across the globe—including hospitals, power plants, water works, transportation systems, and even nuclear facilities. And the root cause at least in some cases is the failure of the software to take appropriate precautions.

The software systems in a modern
car—not to mention a passenger plane
or a jet fighter—are of a scope and com-
plexity that rivals any operating system
or database produced by the traditional
software industry. Indeed, every industry
ments are the perceived monetary costs,
the difficulties or even the impossibil-
ity of implementation, and the fear of
reduced innovation and technological
progress. Schneider, in a recent Com-
munications Viewpoint, also notes the
need for a detailed cost/benefit analy-
sis to ascertain what society is willing
to pay for improved security, where the
costs also include reduced convenience
(due to the need for authentication) and
functionality (due to isolation). 4 And in-
deed all regulations are, by definition,
limiting. But do we really need to wait
for a large-scale security catastrophe,
possibly including significant loss of
life, before we act at all? As the Micro-
soft example shows, extensive techno-
logical solutions and best practices
actually already exist. It is just a matter
of making their use pervasive.

So why are software security faults tolerated? A possible explanation is that software deficiencies have so far been less tangible than those of traditional industries. Many people install multiple locks on their doors and would consider holding intruders to their homes at gunpoint, but fail to take sufficient safeguards to protect their home computers from hackers. The problems resulting from identity theft are much more common but also much more bureaucratic, boring, and less visual compared to more dramatic problems such as exploding gas tanks in pickup trucks.

But above all else, it seems there is a market failure in incentivizing the indus-

Advertise with ACM!

Reach the innovators
and thought leaders
working at the
cutting edge
of computing
and information
technology through
ACM’s magazines,
websites
and newsletters.

Request a media kit
with specifications
and pricing:

Ilia Rodriguez

+ 1 212-626-0686

acmmediasales@acm.org

◊◆◊◆◊

Table 2. Notable security incidents from 2007–2017.

Year Incident Significance

2007 Massive DDoS attacks on organizations and
infrastructure in Estonia
First demonstration of extensive countrywide
disruptions, possibly in connection to
international relations

2010 The Stuxnet cyber-weapon is used to disable
physical centrifuges used in Iran’s nuclear
program
Demonstration of potential impact on
computer-controlled physical infrastructure,
and demonstration of cyber-weapons that
jump air-gaps and remain undetected for
long periods

2013 Yahoo is hacked and data about all three
billion user accounts is stolen
Biggest data breach of its kind

2016 Hackers break into DNC computers and disseminate confidential documents ——————————————— DDoS attacks using a botnet of some 1. 5 million Io T devices (ironically, mainly security cameras)

Strategic hacking with possible effect on the outcome of the U.S. presidential election ——————————————— Demonstration of new vulnerabilities resulting from technological progress and insufficient consideration of security

2017 The WannaCry ransomware infects more than 200,000 computers in 150 countries, causing disruptions such as the closing down of 16 hospitals in the U.K.