Communications of the ACM

is now a software industry. And the products of every industry are vulnerable due to software defects. In such a context, required software regulation includes:

• Transparency: the obligation to investigate and report all exploits including their technical details.

•The prohibition of dangerous practices, such as not using type-safe languages and appropriate encryption.

•Holding companies accountable for their unsafe practices.

These requirements need the backing of legal regulations, because market forces compel industry not to invest in security too much. The market promotes a race to the bottom; except in niche applications, whoever is faster to market and cheaper wins, and whoever is tardy due to excessive investment in security loses. Regulation is the only way to level the playing field, forcing everybody to invest in what they know to be needed but think they cannot afford to do when the competition does not.

Of course, it will not be easy to implement these ideas and agree on the myriad details that need to be settled. Who gets to decide what is a “dangerous practice”? How do we deal with installed systems and legacy code? Who is charged with enforcing compliance? Moreover, it is not clear how to make this happen at the political level. In addition, no single country has jurisdiction over all software production. So a system of certification is required to enable software developers to identify reliable software, and to perform due diligence in selecting what other software to use.

International frameworks already
exist demonstrating these issues can
be solved. The EU General Data Pro-
tection Regulation (GDPR), which con-
cerns the rights of individuals to con-
trol how their personal information is
collected and processed, is an encour-
aging example. Another example is
the Common Criteria for Information
Technology Security Evaluation, an in-
ternational framework for the mutual
recognition of secure IT products. But
this covers only high-level desiderata
for security, not the regulation of low-
level technicalities. This gap is partly
filled by the Motor Industry Software
Reliability Association (MISRA), which
has defined a set of suggested safe cod-
ing practices for the automotive indus-
try. However, these are not required by
any formal regulations.
Protracted discussions on what to
do and what we are willing to pay for
are counterproductive. Such things
cannot be planned in advance. Instead
we should learn from the iterative ap-
proach to constructing software: try to
identify the regulations that promise
the highest reward for the lowest cost,
work to enact them, learn from the pro-
cess and the results, and repeat.

Regulation is in the interest of the long-term prosperity of the software industry no less than in the interest of society as a whole. Software vendors with integrity should stop resisting regulation and instead work to advance it. The experience gained will be extremely important in discussing and enacting further regulations, both in a preemptive manner and—in the worst-case scenario—in the aftermath of a security catastrophe.

References

1. Anderson, R. and Moore, T. The economics of information security. Science 314, 5799 (Oct. 26, 2006), 610–613; https://bit.ly/2GctSYd.

2. Hoare, C.A.R. The emperor’s old clothes.

Commun. ACM 24, 2 (Feb. 1981), 75–83; DOI:

10.1145/358549.358561.

3. Patterson, D.A. 20th century vs. 21st century C&C: The SPUR manifesto. Commun. ACM 48, 3 (Mar. 2005), 15–16; DOI: 10.1145/1047671.1047688.

4. Schneider, F. B. Impediments with policy interventions to foster cybersecurity. Commun. ACM 61, 3 (Mar. 2018), 36–38; DOI: 10.1145/3180493.

5. Telang, R. and Wattal, S. An empirical analysis of the impact of software vulnerability announcements on firm stock price. IEEE Trans. Softw. Eng. 33, 8 (Aug. 2007), 544–557; DOI: 10.1109/TSE.2007.70712.

6. Vardi, M. Y. Cyber insecurity and cyber libertarianism. Commun. ACM 60, 5 (May 2017), DOI:

10.1145/3073731.

7. Virginia Information Technologies Agency. Security assessment of WINvote voting equipment for department of elections. (Apr. 14, 2015); https://bit. ly/2EgvBct

Dror G. Feitelson ( feit@cs.huji.ac.il) is the Berthold Badler Chair in Computer Science at The Rachel and Selim Benin School of Computer Science and Engineering, The Hebrew University of Jerusalem, Israel.

Copyright held by author.

Regulation is in
the interest of
the long-term
prosperity of
the software
industry.

Calendar
of Events

February 11–15

WSDM 2019: The 12th ACM International Conference on Web Search and Data Mining, Melbourne, VIC, Australia, Co-Sponsored: ACM/SIG, Contact: Alistair M. Moffat, Email: ammoffat@unimelb. edu.au

February 16–20

PPoPP ‘19: 24th ACM SIGPLAN Symposium on Principles and Practice of Parallel Programming, Washington, DC, Co-Sponsored: ACM/SIG, Contact: Jeff Hollingsworth, Email: hollings@cs.umd.edu

February 24–26

FPGA ‘19: The 2019 ACM/SIGDA International Symposium on Field-Programmable Gate Arrays, Seaside, CA, Sponsored: ACM/SIG, Contact: Kia Bazargan, Email: generalchair@isfpga.org

February 25–26

HotMobile ‘19: The 20th International Workshop on Mobile Computing Systems and Applications, Santa Cruz, CA, Sponsored: ACM/SIG, Contact: Alec Wolman, Email: alec.wolman@gmail. com

February 25–March 3

SIGCSE ‘19: The 50th ACM Technical Symposium on Computing Science Education, Minneapolis, MN, Sponsored: ACM/SIG, Contact: Manuel A. Perez-Quinones, Email: perez.quinones@uncc. edu

March

March 10–14

CHIIR ‘19: Conference on Human Information Interaction and Retrieval, Glasgow, United Kingdom, Sponsored: ACM/SIG, Contact: Martin Halvey, Email: martin.halvey@gmail. com