Reading:
- Hacking mainframes for CICS and giggles (PPTX ~43mb)
- Report: 52% of businesses still running Windows XP, despite support ending in 2014
- Still problems for Schneider Electric, Schneider Modicon TM221CE16R has a hardcoded password
should make you realize hunting and punishing hackers a very doubtful approach to improving cybersecurity.
Even if flaws are fixed in software, users resist upgrading and in other cases, vulnerabilities persist over decades. To put it bluntly, the opportunities for hacking increase with every software release or patch.
Hackers can be and are caught, then tried or plead out with great fanfare, but if security reports are to be credited, cybercrime continues to increase by leaps and bounds.
Using a non-cybersecurity example, what if your locality had a burglary problem? Every month, as new homes are built, the burglary rates go up. Upon investigation you discover that builders are not putting locks on doors or windows of new homes.
Your policy choices are:
- Hire more police officers and step up patrols to catch burglars, or
- Require builders to install and test locks on windows and doors.
Option #1, like punishing hackers, requires you to catch the burglars first. A chancy proposition at best, even more so for hackers. The bottom line is you are catching and punishing a minuscule portion of the burglars or hackers. For our example, assume that burglaries continue to increase despite your high conviction rate.
Option #2, well, builders are a lot easier to catch than burglars or hackers. They are selling a commercial product that depends upon repeat business so we can not only set requirements, we can also monitor if those requirements are being met.
Setting the standards for legal liability for flaws in software won’t be easy, but consider that despite the liabilities imposed on pharmaceutical companies:
…
Last year, five pharmaceutical companies made a profit margin of 20% or more – Pfizer, Hoffmann-La Roche, AbbVie, GlaxoSmithKline (GSK) and Eli Lilly.
… (from Pharmaceutical industry gets high on fat profits)
Ask your CFO when was the last time your company made a 20% profit, after liabilities and R&D, etc.?
Vendors can compete to produce more secure software (less liability) or compete to race to market with insecure software (feeding hackers).
Which approach do you think leads to greater cybersecurity overall?