{"id":2002,"date":"2011-02-27T17:12:22","date_gmt":"2011-02-27T17:12:22","guid":{"rendered":"http:\/\/harvardnsj.com\/?p=2002"},"modified":"2011-02-27T17:12:22","modified_gmt":"2011-02-27T17:12:22","slug":"software-the-broken-door-of-cyberspace-security","status":"publish","type":"post","link":"https:\/\/journals.law.harvard.edu\/nsj\/2011\/02\/software-the-broken-door-of-cyberspace-security\/","title":{"rendered":"Software: The Broken Door of Cyberspace Security"},"content":{"rendered":"

By Fred D. Taylor, Jr.* —<\/strong><\/p>\n

\u201cSoftware is most of the problem.\u00a0 We have to write software which has many fewer errors and which is more secure\u201d<\/em><\/p>\n

— Dr Ed Amoroso, head of AT&T Network Security in <\/em>Cyber War<\/a>.<\/p>\n

The Internet has become integrated into the everyday life of millions of people around the world.\u00a0 It is the undercarriage for international banking, commerce and defense.\u00a0 The development of advanced software has increased office productivity, management, command, control, communications, computers and intelligence (C4I).<\/p>\n

Software is the door to the Internet \u2013 and the door is broken, allowing thieves, malcontents and the curious the opportunity to steal, deny or degrade the information and capabilities we hold most dear. The extensive reliance on software has created new and expanding opportunities.\u00a0 Along with these opportunities, there are new vulnerabilities putting the global infrastructure and our national security at risk.\u00a0 The ubiquitous nature of the Internet and the fact that it is serviced by common protocols and processes has allowed anyone with the knowledge to create software to engage in world-wide activities.\u00a0 However, for most software developers there is no incentive to produce software that is more secure.<\/p>\n

The software industry is vibrant and healthy.\u00a0 In the desire to add more functionality in a fast-changing market there is less emphasis on quality software that is secure and error-free.\u00a0\u00a0 Companies and users accept that there will be flaws with their software.\u00a0 Why? \u00a0In any other industry it would be unacceptable to allow an industry to produce a faulty product and shirk responsibility.\u00a0 Instead of taking responsibility for defects in their software, the software producers have been able to transfer responsibility to the user.\u00a0 \u00a0Software companies are able to pass on responsibility for the security of their software to the consumer.\u00a0 Thus, consumers are obligated to purchase security software to address software shortfalls, which has fueled a growing business sector for security software.\u00a0\u00a0 In 2010, worldwide security software revenue was expected to reach $16.5B worldwide<\/a>.\u00a0 However, this pales in comparison to the enterprise software market, which will reach $246.6B in 2011 according to a 2010 Gartner software market report<\/a>.\u00a0 Software development is a growing business but the investment is not in secure software.\u00a0 If motivated, the software industry could apply greater effort in producing better quality software, but to date that motivation is still lacking.<\/p>\n

Given this back-drop what should we do to address the problem?<\/p>\n

    \n
  1. The government must take an active role to define software quality standards.\u00a0 Consider instituting something similar to the lemon laws for automobiles, which were enacted to protect consumers from faulty products by forcing responsibility on the automobile industry to monitor and improve quality.\u00a0 A lemon law<\/a> applied to the software industry would restrict the sale of any software that does not meet security standards. \u00a0Additionally, software companies would be liable for damage or losses resulting from flaws in their software. This concept could also be applied to imported software, requiring review before entering the market place.\u00a0 Software that does not meet standards will be denied access to the U.S. market.<\/li>\n
  2. Motivate the software industry, through government incentives and regulation, to invest in better software design and development. \u00a0The software industry should partner with the government, academic and the science and technology community to develop new software coding that is more secure, easier to evaluate and more stringently tested.\u00a0 For example, research into advanced artificial intelligence software development tools can help further this goal.<\/li>\n
  3. The consumer must no longer accept flawed software.\u00a0 The government should take responsibility for reviewing and evaluating software for quality and security compliance. \u00a0With expanded scope and authority, existing organizations such as U.S. Department of Homeland Security\/Department of Commerce could serve in this capacity.<\/li>\n<\/ol>\n

    Cyberspace security is a vital national security interest, and the United States should take an active role in improving the quality of the software which undergirds the Internet.\u00a0 The majority of cyberspace security issues can be traced back to software.\u00a0 Better quality software will have a marked effect on improving cyberspace security.\u00a0 In turn, cybercrime will be reduced, intellectual property will be more secure, and critical infrastructure will be better protected.\u00a0 Software will never be perfect, but if we resign ourselves to accept inferior products, it will not improve. \u00a0A concerted effort by private industry, government, and the consumer will generate more secure software.\u00a0 It is time to fix the broken door to the Internet.<\/p>\n

    *Fred D. Taylor, Jr. is a Lt. Colonel in the United States Air Force and a National Security Fellow at the Harvard Kennedy School. The views expressed in this article are those of the author and do not reflect the official policy or position of the United States Air Force, Department of Defense, or the U.S. Government.<\/p>\n

    Image courtesy of <\/em>the U.S. Department of Homeland Security<\/p>\n","protected":false},"excerpt":{"rendered":"

    Harvard National Security Fellow Fred D. Taylor, Jr. suggests the government take a more active role in promoting quality software design and development. <\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"site-sidebar-layout":"default","site-content-layout":"","ast-site-content-layout":"default","site-content-style":"default","site-sidebar-style":"default","ast-global-header-display":"","ast-banner-title-visibility":"","ast-main-header-display":"","ast-hfb-above-header-display":"","ast-hfb-below-header-display":"","ast-hfb-mobile-header-display":"","site-post-title":"","ast-breadcrumbs-content":"","ast-featured-img":"","footer-sml-layout":"","ast-disable-related-posts":"","theme-transparent-header-meta":"","adv-header-id-meta":"","stick-header-meta":"","header-above-stick-meta":"","header-main-stick-meta":"","header-below-stick-meta":"","astra-migrate-meta-layouts":"default","ast-page-background-enabled":"default","ast-page-background-meta":{"desktop":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"ast-content-background-meta":{"desktop":{"background-color":"var(--ast-global-color-4)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"var(--ast-global-color-4)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"var(--ast-global-color-4)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[1],"tags":[],"class_list":["post-2002","post","type-post","status-publish","format-standard","hentry","category-uncategorized"],"jetpack_featured_media_url":"","jetpack_shortlink":"https:\/\/wp.me\/peZtUX-wi","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/journals.law.harvard.edu\/nsj\/wp-json\/wp\/v2\/posts\/2002","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/journals.law.harvard.edu\/nsj\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/journals.law.harvard.edu\/nsj\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/journals.law.harvard.edu\/nsj\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/journals.law.harvard.edu\/nsj\/wp-json\/wp\/v2\/comments?post=2002"}],"version-history":[{"count":0,"href":"https:\/\/journals.law.harvard.edu\/nsj\/wp-json\/wp\/v2\/posts\/2002\/revisions"}],"wp:attachment":[{"href":"https:\/\/journals.law.harvard.edu\/nsj\/wp-json\/wp\/v2\/media?parent=2002"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/journals.law.harvard.edu\/nsj\/wp-json\/wp\/v2\/categories?post=2002"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/journals.law.harvard.edu\/nsj\/wp-json\/wp\/v2\/tags?post=2002"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}