For a while now, liability has largely been touted by security gurus such as Bruce Schneier as the catalyst for companies to start taking security seriously. Schneier has made compelling arguments in his books, articles, and even before Congress. I have read all of them and also thought this was a good idea….until today.
The Current State
When you use a product developed by a company, say Windows XP, you are not protected from any damage the product causes. If you are infected with a virus due to a hole in the operating system and a hacker is able to steal credentials for your bank account and commit fraud, you’re screwed. The bank isn’t liable because it wasn’t their fault nor is Microsoft because you accepted the terms of their license alleviating them from any liability.
The Liability Theory
In a nutshell, the theory that liability will lead to better security is based off of the idea that vendors will purchase insurance to protect themselves from lawsuits. Insurance companies would then develop and refine requirements that their customers must adhere to or face higher insurance premiums. The financial motivation of paying lower premiums would be enough for companies to adopt good enough security practices to make the world a better place.
In Comes the Cockroaches
Today I found an article by Marcus Ranum called “Inviting Cockroaches to The Feast” that not only made me stop and think, but completely abandon the idea altogether.
In his article, he asks you to find one instance that cockroaches (lawyers) have made any industry better. Has medical liability made hospitals safer since the 70’s or has it just led to inflated health care costs? Did lawyers or the consumer advocate groups that test car safety lead to the creation of crumple zones?
Why didn’t I think of this? I don’t completely agree with Ranum’s premise that it won’t have a positive effect on security. I think it will to a degree, but the downsides are too great. Consumers will pay a higher price for technology because of lawsuits just as we’ve seen happen in the medical industry and with the IT economy already in such a poor state, the ramifications are more severe than I care to think about.
No one ever really thought that liability would come to the IT industry, as the article points out. There are too many high powered vendors that would fight tooth and nail to prevent any such legislation from ever being passed.
Ranum’s answer to the problem is for consumers to demand better security from vendors.
Imagine if 50% of the FORTUNE 500 announced that they were going to defer any new purchases in desktop operating systems pending a 3 year re-assessment of their technology strategy in which they were going to factor in cost of system administration, security administration, anti-virus administration, and downtime. Microsoft stock would hit $1/share in 3 days and 100 new startups would be born, each frantically building the best virus-proof low-administration, secure, reliable operating systems they could.
True, if large companies banded together and used their economic power to demand better security in the products they purchase, then the products would surely improve. Still, I can’t see this happening in today’s market.
There’s Only 1 Player in the Business Desktop Market
Another problem with that example is even if 50% of the Fortune 500 banded together and demanded better security from Microsoft in their desktop operating systems (OS) it would be an idle threat. Microsoft has a lock on the desktop market (including locking themselves out). If a company switched their desktop OS the cost of new hardware, software, and deployment would pale in comparison to the severe impact it would have on user productivity.
For those of you who do not believe this statement, remember you are not the average user. It took me 2 years to convince my dad to switch to XP after he spent 5 years learning Windows 95. It has taken years for the average user to become proficient with their PCs and switching to a completely new OS would cause many people to send out their resumes as soon as they learn to login to their new machine (“hmm…if the network admin logged in as root, then I must be leaf!”). This week, I am teaching .NET at Auburn of Montgomery (AL) and there is a course on Microsoft Excel going on next door. During breaks I get to listen to conversations from those students and a recurring theme is “now that I learned all this, how long until they come out with the next version and change everything?”
I doesn’t matter how easy you think it is to use OSX or some new Linux distro, the majority of users will not agree with you.
In economics, this is called a lock-in effect or path dependency. Sometimes it is also referred to as the ‘QWERTY’ effect, and for good reason. Imagine that scientists study typing and the English language and create a new keyboard layout to make typing easier and reduce errors. On top of that, vendors were giving away free keyboards based on this new layout. Consumers would still rather pay $100 for a ‘QWERTY’ keyboard rather than use the new one. It’s not that the new keyboard is complex, the characters are printed right there on the keys. It’s that users rather use what they know. They don’t care that scientist found that because two keys were too close or to far apart that people commonly made typing mistakes. They don’t care that the new keyboard is free. They are afraid of change. They are happy to finally be able to churn out 20 words a minute and not have to hunt and peck (or as a friend of mine once said “yeah, I finally learned how to type, in high school I used to be a hunt -n- pecker”).
You’re Wrong! Microsoft Did Make XP More Secure!
Yes, I’ve heard that before. Yes, Microsoft did step up the security in XP with Service Pack 2 (SP2). Yes, customers do want better security. That doesn’t prove anything. People want to protect their privacy, but at the same time they give it up for a free cheeseburger. Just because Microsoft made XP more secure does not mean that they caved to customer demand nor does it not mean that Longhorn will sell like it’s 1995. History shows us that customers will buy what they want (look, a dancing bear!) and worry about security later.
So Why Did They Do It?
Microsoft invested a ton of money, even diverting resources from Longhorn, to create SP2 and then gave it away for free. How are they getting a return on their investment? My speculation is that they will enter the security market over the next year and sell services with recurring fees to users of their desktop OS and the security work they have done over the past 3 years has been nothing but preparation for them to dominate the market from day one. With desktop sales lagging MS needs a new way to consistently generate revenue. Don’t want to buy Longhorn? Fine, we’ll get our money when you buy anti-virus protection from us for $30 a year.
Think I Am Way off the Mark?
When XP was released at the end of 2001, the sales were less than spectacular. At the beginning of 2002, sales finally surpassed those of Windows 98, if you compared the sales volume over the same number of days, but how much of that was due to the holiday season when most new computers are purchased (which XP had the benefit of)? Microsoft realized that the market for their largest revenue generator changed and they had to do something about it. In that same year, they began a security push in their server based products. Then in 2003, the process used was formalized (SDL) and adopted in the development of XP SP2 at the same time Microsoft purchased an anti-virus vendor.
XP SP2 was released last year and has been a great security success by all standards including keeping them out of the news (poor CNN, now they all they have to scare people with are the dangers of wireless networks) which is necessary to begin changing their image. While they were waiting for SP2 to have a meaningful affect that we can measure, they quietly acquired 2 more anti-virus companies.
This is about where we are at today. Rampant viruses like Code Red are no where in sight thanks to the drastic changes and investments Microsoft has made. There still is one small little detail they have to deal with before they can dominate the security market and that’s the negative perceptions most people have from their poor security track record. That won’t be easy to overcome, not even for the best PR firm….what the hell? Someone is driving home a message that Microsoft is the leader in security? Within the past week you can find posts on Slash Dot reporting that when it comes to security, users trust Microsoft and articles showing how other vendors that offer security products have many more vulnerabilities than all MS products combined. The marketing department is quietly getting ready and now all that’s left is for the product to hit the market. These may all be coincidences, but I think it’s a masterfully crafted business plan mid-execution.
Again, this is purely speculation and personally I don’t mind if it is their actual motivation. In fact, if this works, I congratulate Microsoft. Good for you for not being like other giant companies that realize their industry is changing and screw consumers in a feeble attempt to extract profits. Good for you for not being like the media industry that uses the legal system to slow or thwart the advancement of technology to keep me from copying the next steaming pile of crap they produce. Good for you for finding profitable ways to make security better, even if you did it for the profit rather than security.
-Eric Marvets