There needs to be accountability extending beyond purely contractual disputes for producing subpar code due to cost-cutting measures. Taxpayers are shouldering the bill for the cleanup and must have legal recourse.
The US economy loses to cyberattacks an estimated $100 billion (0.64% of the GDP) per year and 500,000 jobs. But the criminals launching these attacks are merely a symptom of the problem. For the most part, they exploit existing vulnerabilities in the code and systems design.
The software will always have bugs, and no design will ever be perfect. However, when cutting corners and going with the lowest bidder puts public safety at risk, those responsible must face legal consequences.
We have stringent criminal laws to punish those exploiting software vulnerabilities. Yet, a very rudimentary legal framework exists to penalize those who give rise to these vulnerabilities through greed and negligence.
Any mid-level beancounter can choose to save a buck by replacing a qualified software developer with a low-paid novice. Such a decision’s potential negative personal consequences are few and limited, while the rewards can be substantial.
Imagine a not-to-hypothetical scenario. A company releases a software product but fails to remove a backdoor used for testing. This company recently saved some money by replacing its quality assurance department with automation software.
There is now an open door through which the hackers can come in and take what they want. If they get caught, they’ll go to jail. But those who made the heist possible are likely to get off scot-free. They may even get a bonus.
The definition of a “threat actor” must be expanded to encompass those engaging in negligent business practices that stimulate cybercrime.