Security: Time to Take Names, Lay Blame
Currently, the security burden lies with the consumer to keep up with patches, but that has become an overwhelming task.There were two interesting developments last month in the realm of information security. One was the release of a new report by the National Academy of Sciences; the other was the apparent Saul-on-the-road-to-Tarsus conversion of Bill Gates to a belief in the paramount importance of security. The NAS report, "Cybersecurity Today and Tomorrow: Pay Now or Pay Later," observes that security is often neglected because it costs money. But the most attention-getting recommendation is for policy-makers to consider "legislative responses," including making vendors liable for security breaches.
This recommendation is going to mean a serious change in the way we have approached vendor accountability. It also raises many questions about how such legislation will work. Assignment of liability depends on shared assumptions about what constitutes adequate security efforts and on whom the burden of making those efforts rests. Currently, the security burden lies with the consumer to keep up with patches, but that has become an overwhelming task. Since it is less costly and less disruptive to write secure software upfront than it is to clean up thousands of systems later, the bulk of the burden should lie with the vendor.