In early 2020, cyber attackers who appeared to be working for the Russian government hacked into a widely used network management software produced by a company called SolarWinds. The attack gave attackers access to the computer networks of about 18,000 SolarWinds customers, including US government agencies such as the Department of Homeland Security and the State Department, and nuclear research laboratories. US, government contractors, IT companies and non-government agencies around the world.
It was a major attack that had a great effect on the national security of the United States. The Senate Intelligence Committee is scheduled to hold a hearing on the breach on Tuesday. Who is at fault?
Of course, the US government deserves considerable blame for inadequate network conditions. But seeing the problem only as a technical flaw is to miss the bigger picture. The modern market economy, which actively rewards corporations for short-term profits and strong cost-cutting, is also part of the problem: Its incentive structure all but ensures that the Successful technology companies will eventually sell unsafe products and services.
Like all for-profit corporations, SolarWinds aims to increase shareholder value by minimizing costs and maximizing profits. The company is owned in large part by Silver Lake and Thoma Bravo, private equity firms known for their extreme cost cutting.
SolarWinds certainly seems to have an emphasis on security. The company has outsourced most of its software engineering to cheaper programmers overseas, though that often increases the risk of security vulnerabilities. For a while, in 2019, the update server’s password for network management software SolarWind was reported as “solarwinds123”. Russian hackers were able to hack into SolarWind’s own email system and lurk there for months. Chinese hackers appear to have exploited a separate vulnerability in corporate products to break into US government computers. A cybersecurity adviser for the company said he quit his job after his recommendations for increased security were ignored.
There’s no good reason to depend on security other than saving money – especially when your clients include government agencies around the world and when tech professionals you pay to advise you to do more than that.
As economic writer Matt Stoller has suggested, cybersecurity is a natural area for a tech company to cut costs because their customers won’t notice unless they’re hacked – and if they do, they had to pay for the product. In other words, the risk of a network attack can be passed on to the customer. Does this strategy jeopardize your ability to have long-term, repeat customers? Sure, there is a danger there – but investors are so focused on short-term returns they are often willing to take the risk.
The market prefers to reward risk-taking firms when those risks are largely attributed to other parties, such as taxpayers. This is known as “profit privatization and loss socialization.” Standard examples include companies that are considered “too big to fail,” meaning society as a whole must pay the price for their unlucky or bad business decisions. When national security is compromised by high-flying technology companies that endanger their customers’ cybersecurity, the same goes for it.
The same misleading incentives affect your day-to-day network security. Your smartphone is vulnerable to something called SIM swap fraud because phone companies want to make it easier for you to get a new phone – and they know that the cost of fraud is largely attributable to the customer. bear. Data brokers and credit bureaus that collect, use, and sell your personal data don’t spend a lot of money to secure that data because it’s your problem if someone hack and steal it. whether that. It is too easy for social media companies to let hate speech and misinformation develop on their platforms because removing it is expensive and complicated and they don’t incur immediate costs – in fact, they tend to profit from user interaction regardless of its nature.
There are two problems to be solved. The first is information asymmetry: Buyers cannot fully appreciate the security of a company’s software products or operations. The second is the misleading incentive structure: The market encourages companies to make decisions for their own personal benefit, even if that affects the broader interests of society. Together these two problems lead companies to save money by taking a greater risk and then passing that risk on to the rest of us, individually and nationally.
The only way to force companies to offer safety and security features to customers and users is with government intervention. Companies need to pay real costs for their insecurities, through a combination of law, regulation and liability. Governments regularly legislate on safety standards – pollution, car seat belts, unleaded gasoline, food and drink regulations. We need to do the same thing with cybersecurity: The federal government should set minimum security standards for software and software development.
In today’s tightly controlled markets, it’s too easy for software companies like SolarWinds to save money by neglecting security and hoping for the best. That is a plausible decision in today’s world of free markets, and the only way to change that is to change the economic drivers.
Bruce Schneier is a fellow at Harvard Kennedy School and most recently the author of the book “Click here to Kill Everybody: Security and Survival in a Hyper-Connected World”.
The Times is committed to publishing many letters for the editor. We want to know what you think about this or any of our articles. Here are some advice. And here is our email: [email protected].
Follow the New York Times Opinion section above Facebook, Twitter (@NYTopinion) and Instagram.