We Build What We Value

Let’s get something straight right from the get-go: from the perspective of the manufacturer there is no incentive to build secure things.

We Build What We Value
Tin cans connected by string

There have been multiple posts and articles recently that have focused on the need to imbue security into the things we build. Similar missives over the years have tended to be heavy on sentiments and light on workable solutions. This latest batch is better than most, but they still do not address the issue in ways that resonate or that might trigger action.

As my friend and former colleague Jay Healy points out, building securely from the start is not a new refrain. It is a song older than most current practitioners. As our relationship with technology becomes more intimate, the wisdom of building things securely in the first place is obvious. Why then, is it so hard to actually do?

We’ve cried ‘wolf’. We’ve articulated every ‘what if’ scenario and (bad) wartime analogy we can think of. Fear, uncertainty, doubt, and appeals to our better angels is clearly not cutting it. One thing we’ve yet to try is economics, which is how we got into this situation in the first place.

What’s my Motivation?

Let’s get something straight right from the get-go: from the perspective of the manufacturer there is no incentive to build secure things. Nobody is in the security business, not even security companies, they’re just in business. Nobody is dying on the cybersecurity hill if there is no financial factor in play.

Look at the reported cost of every breach you can think of, and then look at the victim company’s annual revenue. Use whatever formula you’d like to suss out what the company should have been spending on security. Paying for security shortcomings is almost always cheaper than investing in a SOC and a threat hunting team and network…no, endpoint…no, XDR solutions, etc., etc. This is risk economics 101: you don’t spend $10M to defend something worth $1M. More to the point: you can afford a $10M expense if you made $10B operating without a cybersecurity safety net.

What about saving lives?

What about saving lives? Besides the rare and ancient edge case, how many people has cyber insecurity killed? No, no, no: Coroner's report or it didn’t happen. Even during peak-pandemic-ransomware you can’t draw a straight line between a vulnerable computer and a body. Well, I guess you can, but there is a difference between people who willingly accept extreme risk and plain vanilla consumers who just want a widget that works at a reasonable price. This lack of casualties actually tells us something about how much risk we face due to insecurity, which is to say: maybe a lot less than we think.

What about goodwill?

Again: only security nerds are clamoring for secure products. Ordinary people don’t care. You can take over their car and drive it off a cliff; you can literally put their kids at risk and it's not enough to get them to act in a meaningful way. Not enough of them anyway. And not so much that they are willing to spend as much on lobbyists as manufacturers do.

Remedies Rooted in Reality

Tax incentives, rebates, or other approaches that take economic arguments off the table should be the cornerstone of any effort to improve security at the atomic level. We do it for people who improve the energy efficiency in their homes, we do it for people who buy electric cars, we do it to support corporate R&D.  If the government truly believed that cybersecurity is the issue it says it is, then it should be willing to pay for it.[1]

A model where “cybersecurity is ultimately the responsibility of every CEO and every Board” is workable. We actually have precedence for such an approach in SOX.[2] The issue is that SOX only came about after epic bankruptcies and life-changing economic trauma for tens if not hundreds of thousands. We’ve never had an equivalent cybersecurity event that would drive such action, and by definition if it happened it would be too late for a disturbing number of people (more on this in a minute).

If we go down the SOX-for-Cyber path, the associated penalties need to hurt. Badly. The cost of building securely up-front should be significantly cheaper than the pain associated with failing to do so. The language of any such law would need to be clear and definitions tight; if there is an insecurity loophole, it will be exploited.

Incentives might not be enough, or they might not apply to certain commercial concerns, which is why the government needs to look at efforts like the National Flood Insurance Program or the Affordable Care Act or any number of other programs that address gaps market forces leave behind.

Finally, change depends on mandatory participation. This is easier to swallow if there is a way to deal with the associated costs (see above). Voluntary efforts are nice, but they end up being the last thing anyone does. Where have 40+ years of voluntary efforts gotten us? Another year of op-eds whose only major difference is the date and byline.

Potholes on The Road to Security Nirvana

There are numerous reasons why we’re unlikely to see significant changes in the status quo. Security failures are larger than ever, yet there is an argument to be made that we’ve reached an equilibrium as far as online risk is concerned. Fraud associated with your credit card? The bank makes you whole.[3] Data lost in a breach? Here is some beer money and credit monitoring.[4] What we’re doing seems to be enough as far as the citizenry is concerned, and if they’re not up in arms, what politician is going to spend time on the issue?

The power of the purse, in the form of security-first language in government contracts, is a step in the right direction yet such language doesn’t always make it into contractsAppealing to the power of Buffet-class investors is a great idea, but a model where “cybersecurity risks are an equal organizational priority with financial, operational, or market risk” would have to be supported with data. I’m not aware of - and I’m happy to be proven wrong about this - authoritative data that supports the idea that cyber risk is a peer to financial risk. The breaches at Target and Home Depot were headline news events, but they’re still going concerns; Bed Bath & Beyond is hanging by a 300-count Egyptian cotton thread, and it has nothing to do with their security posture.

You wouldn’t think corporate compensation schemes would play a role in cybersecurity, but you’d be wrong. CEOs are compensated in large part with company stock. They’re evaluated quarterly on company financial performance. As CEO, if you can’t hit your goals in the usual fashion, then you’re going to come up with something unusual (or shady AF) or you’re going to find yourself out of a job. From Enron to WorldCom to Nikola to Theranos, the message has been clear: you can do no wrong as long as you’re making enough money (or the promise of a windfall remains). Nobody’s golden handcuffs involve achieving SOC2 compliance.

We’re From the Government. We’re Here to Help

The government would have a much stronger pair of legs to stand on when it comes to making cybersecurity arguments if it could actually meet its own standards and recommendations. Retroactively securing things is hard. This should elicit some measure of empathy when private enterprise objects to governmental overtures rather than disappointed looks and finger wags. Glass houses and all that.

The government spends a lot of time and money on conflict in cyberspace. Historically, long periods of wartime advances trickled down to improve civilian life. That hasn’t happened when the contested area is cyberspace (unless you count Ghidra). Public-private partnerships aren’t really, and sharing organizations are valuable because of the sharing that goes on between industry members, not government representatives. 

Yet the idea that “government cannot solve the problem,” is curious given ample evidence to the contrary. It's safe to drive and fly and live in a house because of the government. You can eat food without worrying about whether or not it will kill you thanks to the government.[5] The government “fixes” all kinds of things because the government’s #1 job is protecting its citizens. That it hasn’t cracked this nut yet has less to do with effort than it does with imagination (or lack thereof).

The Wrong Way Around

Having said all that, we are probably doing this all backwards. Historically speaking, the one and only factor that spurs change when it comes to safety and security is a sufficiently large pile of bodies in a sufficiently short period of time. Like 9/11, when it happens, our response will define “knee-jerk” and appear to improve security more than actually improving it. Everyone who wants ‘TSA for the Internet’ raise your hand. Rather than imagine the best case scenario, we might make more progress and secure more buy-in imagining the worst case scenario and walking things back until we have something tolerable. 

Humans are really bad at assessing risk. The actual or metaphorical creepo in a white van enticing children with candy has never been less of an issue but we criminalize people who behave accordingly. We are way more excited about the next big thing than we are our physical health. It doesn’t matter how close we may be to catastrophe, until the impact of our inaction is staring us in the face we simply can’t bring ourselves to elevate the give-a-s***-factor. At least not using traditional thinking and approaches. That, ultimately, is why we’ll continue to bolt on security after the fact, and why we’ll still be talking about “hope and change” right up until it's too late.


[1] Let’s be honest: the burden will fall on the taxpayer in one way or another, but let’s set that aside for now.

[2] SOX only applies to publicly traded companies. Any attempt to replicate it for security issues would likely only apply to public companies as well. Unfortunately privately held SMBs are the largest segment of the economy.

[3] Thanks to the $.0001 fee increase you and a million other customers didn’t notice.

[4] Courts increasingly require that you prove damages, merely being a name in a data dump isn’t sufficient to claim victim-hood.

[5] Like, immediately, not 20 years from now due to clogged arteries…that’s on you