informa
/
Risk
News

Insecure Software Costs US $180B per Year

'Vulnerability tax' might be the answer, says SANS instructor and security expert David Rice

Consumers have protections when it comes to E. coli-ridden vegetables, lead-tainted toys, and other defective products. Why not from insecure and vulnerability-flawed software that threatens their personal data?

That's one argument posed by David Rice, director of the Monterey Group and a SANS course instructor who has just published a new book called "Geekconomics: The Real Cost of Insecure Software".

In the book, Rice, who has worked on national security issues for the National Security Agency and the military, poses a bold solution to cleaning up what he calls the "pollution" of insecure software: instituting a "vulnerability tax" on vendors.

"I know [tax] is a four-letter word in this country," Rice said an in interview with Dark Reading today. "I expect a lot of heated debate."

He estimates that the actual cost of insecure software to the U.S. is at least $180 billion per year, although he acknowledges that such numbers are "soft." He based his estimates on other numbers -- including a recent General Accounting Office report that says the U.S. cybercrime market is around $117 billion -- as well as other reports, such as estimates of worldwide phishing operations of $350 billion per year.

But it's Rice's controversial proposal for making the software industry more accountable for flawed software that is likely to raise some eyebrows. It's a taxation model akin to what automakers pay, and which buyers ultimately absorb when purchasing carbon-emitting vehicles.

According to Rice, software bugs have led to everything from physical danger (software defects led to a 1996 Boeing 757 crash) to infrastructure disruption (the 2003 power blackout caused by a software problem) to a burgeoning cybercrime market.

Rice acknowledges that taxing software vendors would cause an unpopular side effect: Consumers would ultimately pay more for software. But the software theoretically would be less buggy. "Right now, people don't feel the social cost of insecure software," he says. "That's what this model tries to do."

Just as a traditional manufacturer would pay less tax by becoming "greener," the software manufacturer would pay less tax for producing "cleaner" code, he says. "Those software manufacturers would pay less tax pass on less expense to the consumer, just as a regular manufacturing company would pass on less carbon tax to their customers," he says.

It's not clear how the software quality would be measured, he says, but the idea would be for a software maker to get tax breaks for writing code with fewer security vulnerabilities.

And the consumer ideally would pay less for more secure software because tax penalties wouldn't get passed on, he says.

Rice says this taxation model is just one of many possible solutions, and would likely work in concert with torte law or tighter governmental regulations. This accountability approach would likely vary from country to country, he says, but it's a global issue. "This is a global concern. I'm not sure we're going to see a Kyoto protocol here, but there would have to be some type of concerted international effort" to handle insecure software, he says.

There's no way to write flawless software, Rice says, but vendors need to step up and better protect the consumer. "We're not asking for perfection in products, but for some level of accountability," he says.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Recommended Reading:
Editors' Choice
Kirsten Powell, Senior Manager for Security & Risk Management at Adobe
Joshua Goldfarb, Director of Product Management at F5