A Tax on Buggy Software
Forbes (06/26/08) Greenberg, Andy
David Rice, an instructor at the SANS Institute* and a former cryptographer for the National Security Agency and NASA, has published “Geekonomics: The Real Cost of Insecure Software,” a new book that criticizes the software industry for its careless attitude toward security. Rice says the total economic cost of software security flaws is about $180 billion a year.
Rice suggests creating a tax on software based on the number and severity of security bugs, even if the cost gets passed on to consumers, in order to hold software manufacturers accountable. He says hackers simply use tests to discover flaws in the software, which software publishers could do before hackers have access to the programs.
The software companies control how much testing they do before programs are released, Rice says, and they do not have the right incentives to do the testing necessary to create secure software. He says the tax model would solve software problems in the same way that taxes help curb pollution from manufacturing. Rather than trying to stop manufacturing or prohibiting pollution, companies are taxed for the amount of pollution they create, motivating them to reduce emissions.
Rice says software vulnerabilities, like pollution, are inevitable, so instead of requiring software to be secure, tax insecurities and allow the market to determine the price it is willing to pay for vulnerabilities in software. Software manufacturers who are the most insecure will pay the most. The tax will also create a system, similar to the safety star-rating system used for cars, to help consumers know what software is the most secure.
* Completely off the subject: I attended a Linux bootcamp at SANS many moons ago. It was heinous. Great instructor, but OMFG it was very, very long. A 6 day week of 12 hour days in a school chair. My arse has never been the same. OTOH, I built my own kernel, which was swell. I was one of about 6 women at that conference, with about 2000 guys. Also heinous, except I never had to wait for a toilet. If you’re into internet security at all you probably know all about SANS already. They are the end-all and be-all of hackerific security info.