Ex-NSA Analyst To Be Global Security Head At Apple 145
AHuxley writes "Cnet.com reports that Apple has tapped security expert and author David Rice to be its director of global security. Rice is a 1994 graduate of the US Naval Academy and has a master's degree in Information Warfare and Systems Engineering from the Naval Postgraduate School. He served as a Global Network Vulnerability analyst (Forbes used cryptographer) for the National Security Agency and as a Special Duty Cryptologic officer for the Navy. He is executive director of the Monterey Group, a cybersecurity consulting firm. He's also on the faculty of IANS, an information security research company and works with the US Cyber Consequences Unit. In a 2008 interview with Forbes, 'A Tax On Buggy Software,' Rice talks of a 'tax on software based on the number and severity of its security bugs. Even if that means passing those costs to consumers. ... Back in the '70s, the US had a huge problem with sulfur dioxide emissions. Now we tax those emissions, and coal power plants have responded by using better filters. Software vulnerabilities, like pollution, are inevitable — producing perfect software is impossible. So instead of saying all software must be secure, we tax insecurity and allow the market to determine the price it's willing to pay for vulnerability in software. Those who are the worst "emitters" of vulnerabilities end up paying the most, and it creates an economic incentive to manufacture more secure software.'"
Why not a security rating, so buyer can choose? (Score:5, Interesting)
From the article:
OK, so have a private certification company so you can see their rating on the product. Why is a tax needed? The example he cites, of automobiles, gives the buyer the choice of how safe the vehicle must be.
If determining software vulnerability were as simple as running some automated tests, it wouldn't be a problem in the first place. In his example of testing vehicles, it would be like having to protect them against a near-infinite variety of crash situations. How can you automate this, so as to give a simple rating?
OK, so let's say all software is secure. That doesn't stop people from combining it in ways that leads to insecurities, or even configuring a single piece so that it's insecure. How will this tax help that?
Here he talks of negative externalities and making those responsible pay, so that they educate themselves and avoid creating them. Sounds good, so why not do that? That doesn't involve taxation, it involves making those with vulnerable systems pay. That's the way to make the market respond.
For example, a home user's machine is infected and is now part of a botnet? Charge a fine. He'll quickly clean up his machine, switch/secure his OS, or find an ISP that will detect such a thing and automatically cut his internet connection until he cleans his machine up. Or a business leaks customer information. Fine it. That will encourage it to do what's necessary to secure the data. This way the need for security moves up the chain, from user to supplier, with whatever things are necessary to give it. Leave taxation out of it.