Incentives need to change for firms to take cyber-security more seriously

IT HAS been a cracking year for hacking. Barack Obama and the CIA accused Russia of electronic meddling in an attempt to help Donald Trump win the presidency. Details emerged of two enormous data breaches at Yahoo, one of the world’s biggest internet companies; one, in 2013, affected more than a billion people. Other highlights include the hack of the World Anti-Doping Agency; the theft of $81m from the central bank of Bangladesh (only a typo prevented the hackers from making off with much more); and the release of personal details of around 20,000 employees of the FBI. The more closely you look at the darker corners of the internet, the more the phrase “computer security” looks like a contradiction in terms.

Why, two decades after the internet began to move out of universities and into people’s homes, are things still so bad? History is one reason: the internet started life as a network for the convenient sharing of academic data. Security was an afterthought. Economics matters, too. Software developers and computer-makers do not necessarily suffer when their products go wrong or are subverted. That weakens the incentives to get security right.

Unfortunately, things are likely to get worse before they get better. The next phase of the computing revolution is the “internet of things” (IoT), in which all manner of everyday objects, from light bulbs to cars, incorporate computers connected permanently to the internet. Most of these gizmos are as insecure as any other computer, if not more so. And many of those making IoT products are not computer firms. IT companies have accumulated decades of hard-won wisdom about cyber-security; toaster-makers have rather more to learn.

In November cyber-security researchers revealed a malicious program that could take control of any smart light bulbs within 400 metres. A hacked light bulb does not sound too dangerous. But such unobtrusive computers can be recruited into remotely controlled “botnets” that can be used to flood websites with bogus traffic, knocking them offline. Routers, the small electronic boxes that connect most households to the internet, are already a popular target of bot-herders. Other targets are more worrying. At a computer-security conference in 2015, researchers demonstrated how wirelessly to hack a car made by Jeep, spinning its steering wheel or slamming on its brakes. As the era of self-driving cars approaches (see article), the time to fix such problems is now.

One option is to leave the market to work its magic. Given the damage that cybercrime can do to companies, they have good commercial reasons to take it seriously. If firms are careless about security, they risk tarnished reputations and lost customers. A planned buy-out of Yahoo by Verizon, an American telecoms firm, may be rethought after its hacks. But these incentives are blunted when consumers cannot make informed choices. Most customers (and often, it seems, executives) are in no position to evaluate firms’ cyber-security standards. What is more, the epidemic of cybercrime is best tackled by sharing information. A successful cyber-attack on one company can be used against another. Yet it is tempting for firms to keep quiet about security breaches.

That suggests a role for government. Researchers draw an analogy with public health, where one person’s negligence can harm everyone else—which is why governments regulate everything from food hygiene to waste disposal. Some places are planning minimum computer-security standards, and will fine firms that fail to comply. The IoT has also revived the debate about ending the software industry’s long-standing exemption from legal liability for defects in its products.

Neither relax nor chill

The problem is that regulation is often fragmented. America has a proliferation of state-level rules, for example, when a single, federal regime would be better. Regulation can also go too far. From January financial institutions in New York must comply with a new cyber-security law that many think sets the bar for breach notifications too low. Changing the liability regime for software could chill innovation by discouraging coders from trying anything new.

Rule-makers can, however, set reasonable minimum expectations. Many IoT devices cannot have their software updated, which means that security flaws can never be fixed. Products should not be able to operate with factory usernames and passwords. No software program can be made impregnable, but liability regimes can reflect firms’ efforts to rectify flaws once they become apparent. Firms need to be encouraged to take internet security more seriously. But overly detailed prescriptions will just hack everyone off.