October 20th, 2005
Who's accountable (or liable) for software security?
Bruce Schneier has added his viewpoint to the debate that started with Howard Schmidt’s comment that programmers should be held personally accountable for the quality of their code. In a Wired News column, Schneier writes:
He’s on the right track, but he’s made a dangerous mistake. It’s the software manufacturers that should be held liable, not the individual programmers. Getting this one right will result in more-secure software for everyone; getting it wrong will simply result in a lot of messy lawsuits.
Security expert Schneier makes the mistake of thinking that Schmidt (former White House cybersecurity adviser as well as Microsoft and eBay security czar) said that programmers should be held liable–he just said that programmers should take personal responsiblity for writing secure code, and that performance reviews take into account whether their code adheres to approved security models. He also advocates more training for developers to help improve the level of security in the products they build.
Schneier goes on to say in his Wired News column:
He [Schmidt] wants individual software developers to be liable, and not the corporations. This will certainly give pissed-off users someone to sue, but it won’t reduce the externality and it won’t result in more-secure software.
Computer security isn’t a technological problem — it’s an economic problem. Socialists might imagine that companies will improve software security out of the goodness of their hearts, but capitalists know that it needs to be in companies’ economic best interest. We’ll have fewer vulnerabilities when the entities that have the capability to reduce those vulnerabilities have the economic incentive to do so. And this is why solutions like liability and regulation work.
Again, Schmidt never said he favors making individual software developers liable, and he would likely agree with Schneier that the economic incentives (such as, stop buying insecure products) haven’t reached a tipping point. Schneier favors liability and regulation targeting the companies. Holding companies liable for negligent coding makes sense to me, but in my conversation with Schmidt, he said that he doesn’t favor legal remedies. As Schneier concludes:
If end users can sue software manufacturers for product defects, then the cost of those defects to the software manufacturers rises. Manufacturers are now paying the true economic cost for poor software, and not just a piece of it. So when they’re balancing the cost of making their software secure versus the cost of leaving their software insecure, there are more costs on the latter side. This will provide an incentive for them to make their software more secure.
The question is how to define what you can sue a software vendor over. Without more clear parameters about what kind of software vulnerabilities and incidents justify legal remedy, the ambulance chasers will have a field day…
Dan Farber, editor-in-chief of CNET News.com, has more than 20 years of experience as an editor and journalist covering technology. See his full profile and disclosure of his industry affiliations.
