Is There a Lack of Market Incentives for Cybersecurity?

Computer science professor Moshe Y. Vardi is the Senior Editor of Communications of the ACM. And he's concerned about the state of cybersecurity today: In 2017, I wrote: "So here we are, 70 years into the computer age and after three ACM Turing Awards in the area of cryptography (but none in cybersecurity), and we still do not seem to know how to build secure information systems." What would I write today? Clearly, I would write: "75 years," but I would not change a word in the rest of the sentence.... The slow progress in cybersecurity is leading many to conclude the problem is not due to just a lack of technical solution but reflects a market failure, which disincentivizes those who may be able to fix serious security vulnerabilities from doing so. As I argued in 2020, the computing fields tend to focus on efficiency at the expense of resilience. Security usually comes at a cost in terms of performance, a cost that market players seem reluctant to pay. To discuss the market-failure issue and how to address it, the Computing Community Consortium organized in August this year a visioning workshop on Mechanism Design for Improving Hardware Security. The opening talk was given by Paul Rosenzweig, an attorney who specializes in national security law. He argued that technological development is founded, at the end, on human behavior. So, the key to good cybersecurity is to incentivize humans. Thus, the answer lies in the economics of cybersecurity, which is, mostly, a private domain with lots of externalities, where prices do not capture all costs.... As the philosopher Helen Nissenbaum pointed out in a 1996 article, while computing vendors are responsible for the reliability and safety of their product, the lack of liability results in lack of accountability. She warned us more than 25 years ago about eroding accountability in computerized societies. The development of the "move-fast-and-break-things" culture in this century shows that her warning was on the mark.... If we want to address the cyber-insecurity issue, we should start by welcoming liability into computing. Thanks to long-time Slashdot reader shanen for sharing the article

Read more of this story at Slashdot.