By Fred D. Taylor, Jr.* —
“Software is most of the problem. We have to write software which has many fewer errors and which is more secure”
— Dr Ed Amoroso, head of AT&T Network Security in Cyber War.
The Internet has become integrated into the everyday life of millions of people around the world. It is the undercarriage for international banking, commerce and defense. The development of advanced software has increased office productivity, management, command, control, communications, computers and intelligence (C4I).
Software is the door to the Internet – and the door is broken, allowing thieves, malcontents and the curious the opportunity to steal, deny or degrade the information and capabilities we hold most dear. The extensive reliance on software has created new and expanding opportunities. Along with these opportunities, there are new vulnerabilities putting the global infrastructure and our national security at risk. The ubiquitous nature of the Internet and the fact that it is serviced by common protocols and processes has allowed anyone with the knowledge to create software to engage in world-wide activities. However, for most software developers there is no incentive to produce software that is more secure.
The software industry is vibrant and healthy. In the desire to add more functionality in a fast-changing market there is less emphasis on quality software that is secure and error-free. Companies and users accept that there will be flaws with their software. Why? In any other industry it would be unacceptable to allow an industry to produce a faulty product and shirk responsibility. Instead of taking responsibility for defects in their software, the software producers have been able to transfer responsibility to the user. Software companies are able to pass on responsibility for the security of their software to the consumer. Thus, consumers are obligated to purchase security software to address software shortfalls, which has fueled a growing business sector for security software. In 2010, worldwide security software revenue was expected to reach $16.5B worldwide. However, this pales in comparison to the enterprise software market, which will reach $246.6B in 2011 according to a 2010 Gartner software market report. Software development is a growing business but the investment is not in secure software. If motivated, the software industry could apply greater effort in producing better quality software, but to date that motivation is still lacking.
Given this back-drop what should we do to address the problem?
- The government must take an active role to define software quality standards. Consider instituting something similar to the lemon laws for automobiles, which were enacted to protect consumers from faulty products by forcing responsibility on the automobile industry to monitor and improve quality. A lemon law applied to the software industry would restrict the sale of any software that does not meet security standards. Additionally, software companies would be liable for damage or losses resulting from flaws in their software. This concept could also be applied to imported software, requiring review before entering the market place. Software that does not meet standards will be denied access to the U.S. market.
- Motivate the software industry, through government incentives and regulation, to invest in better software design and development. The software industry should partner with the government, academic and the science and technology community to develop new software coding that is more secure, easier to evaluate and more stringently tested. For example, research into advanced artificial intelligence software development tools can help further this goal.
- The consumer must no longer accept flawed software. The government should take responsibility for reviewing and evaluating software for quality and security compliance. With expanded scope and authority, existing organizations such as U.S. Department of Homeland Security/Department of Commerce could serve in this capacity.
Cyberspace security is a vital national security interest, and the United States should take an active role in improving the quality of the software which undergirds the Internet. The majority of cyberspace security issues can be traced back to software. Better quality software will have a marked effect on improving cyberspace security. In turn, cybercrime will be reduced, intellectual property will be more secure, and critical infrastructure will be better protected. Software will never be perfect, but if we resign ourselves to accept inferior products, it will not improve. A concerted effort by private industry, government, and the consumer will generate more secure software. It is time to fix the broken door to the Internet.
*Fred D. Taylor, Jr. is a Lt. Colonel in the United States Air Force and a National Security Fellow at the Harvard Kennedy School. The views expressed in this article are those of the author and do not reflect the official policy or position of the United States Air Force, Department of Defense, or the U.S. Government.
Image courtesy of the U.S. Department of Homeland Security