And he's concerned about the state of cybersecurity today: In 2017, I wrote: "So here we are, 70 years into the computer age and after three ACM Turing Awards in the area of cryptography (but none in cybersecurity), and we still do not seem to know how to build secure information systems." What would I write today? Clearly, I would write: "75 years," but I would not change a word in the rest of the sentence....
The market failure which disincentivizes those who can fix security vulnerabilities is one of the reasons why the problem is not due to a lack of technical solution. The computing field tends to focus on efficiency at the expense of resilience. Market players are reluctant to pay the cost of security in terms of performance The Computing Community Consortium organized a visioning workshop on mechanism design for improving hardware security to discuss the market failure issue. A lawyer who specializes in national security law gave the opening talk. He said technological development is based on human behavior.
The key to good cybersecurity is to reward people for doing things. The answer lies in the economics of cybersecurity, which is a private domain with a lot of externalities, where prices do not capture all costs. Computing vendors are responsible for the reliability and safety of their product, but the lack of liability results in lack of accountability. She warned about the erosion of accountability in the 1980's. The "move-fast-and-break-things" culture in this century shows that she was correct in her warnings.
We should welcome liability into computing if we want to address the cyber-insecurity problem.
All Rights Reserved © 2024
