Imagine buying a new car only to receive an email every few weeks warning that your brakes, steering column, or airbags contain newly discovered defects. You're instructed to install fixes immediately because criminals have already figured out how to exploit them. If you fail to act quickly enough, your insurance company may refuse coverage, regulators may investigate, and your business could suffer catastrophic losses. Consumers would never tolerate that model in the automotive industry. Yet it has become standard operating procedure in software.
Someone clearly has never seen the yearly parts and systems recalls automotive manufacturers issue. And is also apparently ignorant of the manufacturers ability to update the Cars software remotely. The insurance companies effectively build it into their pricing models at this point. And the regulators are either working for the manufacturers they’re supposed to be regulating. Or hopelessly incompetent. Such as the FDA.
For too long, software companies have operated under an economic model that rewards speed, feature development, and rapid market entry while treating cybersecurity as a downstream responsibility. If vulnerabilities emerge -- and they inevitably do -- the expectation is that customers will install patches, security teams will detect attacks, endpoint protection vendors will block malware, and incident responders will clean up whatever slips through. That's not accountability. That's outsourcing risk.
He basically describes the incentive structure of the modern U.S Economy in a nutshell. Beat your competitors to market. Deliver a ‘Good Enough’ product made as cheaply as possible. Outsource as much of the risk and liability to the consumer as you can feasibly manage. Pocket the difference.
Manufacturers already face liability when defective products harm consumers. Pharmaceutical companies must demonstrate safety before medications reach the market. Aviation manufacturers follow rigorous certification processes because failure carries unacceptable consequences.
At best Manufacturers slap a warning label on a product that absolves them of liability And even then getting them to do that much is like pulling teeth. Hell it’s considered a leading news story anytime major manufacturers are held accountable for anything. The pharmaceutical companies own the regulatory agency overseeing them. The testing is a formality. About the only one that follows rigorous standards is Aviation. And even that can be debatable depending the company.
If software manufacturers know they will be held accountable for avoidable security failures, they'll invest more heavily in secure development, rigorous testing, and resilient engineering.
All of that costs money that eats into profit margins. They’ll be more liable to invest in ways of skirting accountability and outsourcing even more risk and liability to the consumer. It’d be cheaper for them in the long run. Hell. They’ll just add a warning label and a “We can’t be held liable for anything” clause into the software EULA.
Everything he does raise is a valid complaint. Though I noticed he also never covered the problems and Security Breaches linked to the 3rd party IT contractors. You can have the best security in the world. But it’s useless if the contractor you hired on the cheap gives the attackers a back door. Since like no one does anything in house anymore if they can help it.
His possible solution of Government procurement shifting industry priorities is interesting. But it almost immediately runs afoul of the fact that a cheaper ‘Good Enough’ product you can have right now. Beats a perfect product you can have in another 6 months. For most consumers Government included. So you’d need to both start changing consumer preferences and get people to stop whining about waisting taxpayer funds if the Feds start seriously investing into quality and ‘perfect’. Over cheap and ‘good enough’
Someone clearly has never seen the yearly parts and systems recalls automotive manufacturers issue. And is also apparently ignorant of the manufacturers ability to update the Cars software remotely. The insurance companies effectively build it into their pricing models at this point. And the regulators are either working for the manufacturers they’re supposed to be regulating. Or hopelessly incompetent. Such as the FDA.
He basically describes the incentive structure of the modern U.S Economy in a nutshell. Beat your competitors to market. Deliver a ‘Good Enough’ product made as cheaply as possible. Outsource as much of the risk and liability to the consumer as you can feasibly manage. Pocket the difference.
At best Manufacturers slap a warning label on a product that absolves them of liability And even then getting them to do that much is like pulling teeth. Hell it’s considered a leading news story anytime major manufacturers are held accountable for anything. The pharmaceutical companies own the regulatory agency overseeing them. The testing is a formality. About the only one that follows rigorous standards is Aviation. And even that can be debatable depending the company.
All of that costs money that eats into profit margins. They’ll be more liable to invest in ways of skirting accountability and outsourcing even more risk and liability to the consumer. It’d be cheaper for them in the long run. Hell. They’ll just add a warning label and a “We can’t be held liable for anything” clause into the software EULA.
Everything he does raise is a valid complaint. Though I noticed he also never covered the problems and Security Breaches linked to the 3rd party IT contractors. You can have the best security in the world. But it’s useless if the contractor you hired on the cheap gives the attackers a back door. Since like no one does anything in house anymore if they can help it.
His possible solution of Government procurement shifting industry priorities is interesting. But it almost immediately runs afoul of the fact that a cheaper ‘Good Enough’ product you can have right now. Beats a perfect product you can have in another 6 months. For most consumers Government included. So you’d need to both start changing consumer preferences and get people to stop whining about waisting taxpayer funds if the Feds start seriously investing into quality and ‘perfect’. Over cheap and ‘good enough’