The term “computer security” is itself a contradiction in terms. The current incentives to take security measures seriously are too weak for software firms. And changing that attitude will require not just technical tools, but economic ones as well.
In the past year alone: the $4.8bn takeover of internet firm Yahoo by telecom major Verizon was nearly derailed by two enormous data breaches, and Russian hackers infamously “interfered” in the U.S presidential elections. The problem is only expected to get worse. Apart from the headlines, there is a booming black market in stolen digital goods, computerized extortion, and hackers-for-hire.
It also goes beyond the traditional password protected environment. Most major companies have implemented two-factor authentication. These include tech giants like Google, Facebook, Twitter etc. However at present the customers can choose whether to employ the same. Not for long. Expect stringent measures like two-factor authentication to become the norm soon.
Computers are increasingly dealing not just with abstract data (say credit-card and user info) but also with the real world of material objects and vulnerable human bodies. A modern vehicle is a computer on wheels; chips traverse our blood vessels for diagnostics. The addition of the “Internet of Things” will see micro-devices baked into everything from prosthetic and road signs to MRI scanners and shopping carts. Chance of these gadgets being any more trustworthy than their larger sophisticated counterparts is slim.
And it remains the fact that many firms – especially non-tech ones fail to take security seriously enough. Companies of all stripes must embrace initiatives like “bug bounty” or “hackathon” programs, wherein firms reward ethical hackers for discovering flaws which can be fixed before they are exploited.
But there remains no surefire way to make computers fully safe because the software industry is getting more sophisticated by each passing day. The average program has 14 different vulnerabilities, each of them a potential point of illegal entry. Such weaknesses are compounded by the exposure to the internet, which compounds security issues.
Societies have developed ways and means of dealing with risk—through government regulation or the use of legal liability and insurance to devise incentives for safer measures.
Terrorist and criminal activities often spark calls for encryption of messaging programs like WhatsApp to be weakened so that the security agencies can better monitor what individuals are up to. But it needs to be recalled that this is the same security that guards bank transactions and online identities. Computer security services will be best served by encryption standards that are strong overall. Government’s first priority should be to refrain from making the situation worse.
For decades, the software industry has shied away from liability for the harm when its products are at fault. Silicon Valley’s rapid fire “go fast and break things” style of innovation means that firms have relatively free to put out new products while they still need perfecting. But this way is soon set to be extinct.
As computer technology spreads to products and industries already covered by liability arrangements, such as automobiles or health care, the industry’s ways will increasingly face off against existing laws.
Of late, a fast growing market in cyber-security insurance offers a way to protect consumers as also the computing industry’s ability to innovate. Companies whose products do not work as intended or those that are prone to compromise will find their premiums rising, forcing them to deal with the problem. On the other hand, a firm that takes reasonable measures to make things safe will have recourse to affordable insurance coverage.