How fear and self-preservation are driving a cyber arms race by Max Taves.
From the post:
When a man was fired from his job in Minneapolis, Minn., last May, he inadvertently touched off a boom in Silicon Valley.
Gregg Steinhafel, then a 35-year veteran of Target and its CEO, was shown the door after hackers infiltrated the retailer’s computer systems, stealing 70 million shoppers’ information and 40 million credit and debit card numbers. It turned out the hack might have been prevented, had the company not ignored warnings from its own security systems.
It happened again in December, when Amy Pascal, one of the most powerful women in Hollywood, was fired from her job heading up Sony Pictures after hackers exposed thousands of financial documents and emails revealing the film studio’s inner secrets. The hack captured the world’s attention and elicited criticism from customers, industry leaders and even the president of the United States.
Pascal’s and Steinhafel’s exits sent shockwaves through corporate America. The message was clear: Top executives will be held responsible for their companies’ cybersecurity failings.
The result, venture capitalists say, has been a boom for cybersecurity startups. In ways that previous attacks on consumers never did, the firings have sparked a scramble for new security technology by companies desperate to head off the next costly, embarrassing cyberattack. And venture capitalists are responding, pouring unprecedented billions into a dizzying array of young companies and their, largely, untested products.
Last year, these companies received an aggregate $2.39 billion in funding, a 35 percent increase over 2013, according to venture capital data firm CB Insights. That’s the most money that’s been funneled into cybersecurity companies ever. Silicon Valley is betting companies have woken up to the real dangers of living in the Internet age.
(emphasis added)
Wait! Do you remember the graphic for point-of-sales systems?
The security faults of these systems are in software.
So, $2.39 billion in being invested in software (which will have vulnerabilities) to sit on top of already vulnerable systems.
Somehow, that fails to fill me with warm fuzzies.
Funding research on better software engineering techniques, research on and adoption of standard software practices, funding dissemination of security research and information, etc., would all be positive contributions to improving computer security.
Using techniques known to produce vulnerable software and expecting an improvement in security is by definition, insanity.
Advisers to venture capitalists need to check their E&O policies before advising clients to invest in security software.