This is a valid approach. I, for example, like to run companies that do not mind if employees click on bad links. We understand it will be impossible to avoid, so we prepare for the inevitable — and have zero trust that there will be perfect behavior from our employees.
But when the “trust balloon” is squeezed to remove trust from end-users, then where does it go? There are two possible recipients: enterprise security organizations and the software that enterprises purchase.
Given that security organizations are ubiquitously understaffed and overwhelmed, market forces have stepped in to squeeze the trust balloon once more. Trust has been eliminated from the end-user and delegated by understaffed enterprise security organizations to big service providers and software companies. We trust Big Tech — Google, Facebook, Amazon, Microsoft, Slack, and Zoom — to be the stewards of our most critical data. We have given our trust to an industry built upon speed and risk acceptance that has no liability other than market forces.
Where shifting trust models go wrong
While it may seem a reasonable solution to trust Big Tech with your data, you need to first be clear about one thing — these companies are primarily interested in growing their market share, not security. For example, Zappos is okay with some level of fraud, Microsoft Teams is okay with occasional remote code execution, and SolarWinds was more profitable if they did not keep tabs on their software build processes. In these cases. data security and privacy were decoupled from profitability and valuation. Low quality and high risk were acceptable outcomes in pursuit of high valuations and executive wealth creation.
But the Department of Justice cannot operate in a similar risk model. It is not okay for Russia to have unfettered access to DOJ email and the Office of Personnel Management cannot be okay with the occasional breach giving China’s intelligence agency access to the personnel files of 22 million government employees. It’s obvious that our national security interests are not supported by the use of vulnerable software. And yet, the national security apparatus is reliant upon technology that prioritizes profitability and valuation above all else.
The effect of market forces on security
Market forces have dictated that a move fast and break things mentality is the most reliable way to achieve the highest possible market share and valuation. For a tech CEO, the longest path to billionaire status has been developing secure, well-engineered products. Our shifting trust models have placed the responsibility for data security at the feet of the decision-makers with the least incentive to build secure software.
I don’t mean to suggest that the billionaire CEOs of the world’s largest software companies are naturally inclined to abuse privacy and data — rather, they are profit-motivated geniuses who are naturally inclined to compete and win within the regulatory swim lanes given to them.
The importance of liability
The Clinton administration gave the U.S. technology industry a get out of jail free card with the Telecommunications Act of 1996. As a result, Silicon Valley dominated — innovation grew and stayed in the U.S. Moving fast and breaking things was the right approach. No certifications, no permitting, no consequence for security or privacy issues. Now is the time to examine liability and put CFOs and CEOs on the hook for dodgy engineering.
In 2013, HTC shipped 18 million vulnerable mobile devices and was fined by the Federal Trade Commission (FTC). In 2019, Google received a record $57M fine by the EU for privacy violations and in the same year, Facebook was hit with a record $5B fine for their privacy infractions. Just last December, Noah Phillips, a member of the FTC, testified to the Senate Committee on Commerce, Science, and Transportation that the FTC’s consumer privacy-enforcement actions against Facebook, TikTok, YouTube, Zoom, and other companies had already had a “greater impact than any others in the world.” This can be viewed by the layperson as progress and directionally correct.
The sad reality is that these fines are so inconsequential that they actually promote recklessness. Google generates almost $370 million per day from ads. A “record” $57M fine is not a speed bump — it is an invitation to hit the gas. More than ever, market forces are signaling to the technology industry that ignoring security is their most profitable strategy. Enter the conga line of security vulnerabilities and breaches in 2020.
This is just a sampling of the security incidents in the past year that were most emblematic of poorly engineered software that impacted large enterprises and national security:
There are talented security minds employed at most large software companies, but their functions are starved and underserved. They will remain so unless regulators become serious about enforcement. Fines should be increased to levels that have a material impact. Sticks can be motivating, but carrots work too. Balance sheets should be audited and investment in security engineering increased industry-wide. Software vulnerabilities and data breaches should trigger mandatory oversight and increases in security budgets.
What can be done?
We should be requiring more from tech companies and creating regulatory frameworks that hold them liable for unacceptable product security. The question facing our industry is NOT whether the breach and response playbook used for building and selling video doorbells should be used by the Pentagon. We know the answer is no.
We just have to stop lowering our security standards in the name of convenience. The massive costs required to recover from the SolarWinds/Microsoft breach is not an acceptable burden for taxpayers to shoulder. We give all our trust to large technology providers — trillions of dollars of wealth are created in these software companies. It's now time for these companies to own their fair share of liability as well.