BSA-The Software Alliance is urging cyber officials to stop likening cybersecurity solutions to car safety features, claiming the parallel encourages catch-all standards and disincentivizes innovation.
“This oversimplification creates the impression that software security is as easy as buckling a seatbelt. It also suggests that cyber incidents are the result of the lack of caring or competence of software developers,” BSA’s Henry Young writes in a Monday blog post.
The car safety analogy has been used by government officials in the past, including CISA Director Jen Easterly, who compared seatbelts to enabling multifactor authentication during the launch of the agency’s “More Than a Password” campaign.
Easterly said, “Whether you call it multi-factor or two-factor authentication, this simple step can make you 99% less likely to get hacked. Think of it like an airbag or the seatbelt in your car—an extra layer to keep you safe in the event of an accident.”
Young, BSA’s policy director, raises three concerns with the analogy.
First, Young argues malicious actors cannot be compared to drivers on a highway. Young writes, “Other drivers aren’t seeking to disable fellow motorists’ brakes or unbuckle seatbelts the way nation-state actors, and hundreds or thousands of criminal syndicates, attempt to disable software security systems millions of times per day.”
Young explains, “Unlike car accidents, which are just that – accidents – cyber incidents are the result of malicious actors … operating in a complex digital ecosystem.”
Second, Young says policymakers should maintain incentives for the development of improved security functions. “If, instead, policymakers apply the car safety analogy and dictate which security features are required, the result would be less innovation to confront malicious actors who will continue to improve their tactics, techniques, and procedures,” he writes.
Third, Young emphasizes that compliance checklists don’t work for cybersecurity as they do for car manufacturers. Reverting to “stale” checklists would risk undoing decades of work advancing cyber security as a risk management practice, according to Young.
Instead, Young proposes a different analogy, writing, “A better analogy for cybersecurity involves complex systems like ecosystems. Complex systems feature interacting and dynamic actors which produce outcomes that are challenging to predict.”
The blog post concludes, “Building prescriptive requirements for software based on an overly simplistic analogy to car safety won’t encourage companies to develop more secure software. And in the complex digital ecosystem, in which malicious actors are constantly improving, we need to reward software vendors that continuously improve their security tools.” –- Jacob Livesay (jlivesay@iwpnews.com)