The failures in the technology market have sparked discussions within the UK government about the possibility of implementing legislation to force IT suppliers to prioritize the security of their products. Policy advisors believe that legislation may be necessary to incentivize software and hardware suppliers to develop products that are resilient against cyber attacks. The US is already considering a similar approach, with proposed laws that would hold software suppliers legally responsible if they deliver insecure products and services. Ollie Whitehouse, the chief technology officer at the National Cyber Security Centre, has highlighted the problem of the market failing to encourage technology suppliers to invest in securing their software. Despite the existence of advanced research projects that demonstrate the feasibility of creating cyber-resilient technology, suppliers are still failing to address the basics. The number of security vulnerabilities continues to rise, and many claims made by software companies do not align with reality. The market is primarily driven by value and cost, which often undermines cybersecurity efforts. Short-term solutions, such as the NCSC’s active cyber defense program, do exist, but the long-term goal is to change the dynamics of the security market. This involves promoting transparency regarding software costs, measuring effectiveness, and recording technical debt. Whitehouse suggests that fines for negligence should be imposed on software companies that sell insecure products. This would require a significant shift in the current system that allows software companies to evade responsibility for the damage caused by cyber attacks. Similar ideas are already being proposed in the US, where liability for software products and services is being considered by Congress. It is acknowledged that the UK government lacks the financial resources to persuade IT suppliers to accept liability for security failures through contracts alone. Academic research suggests that businesses and individuals are willing to pay more for secure software, but there are limits to how much extra they are willing to pay. Therefore, the UK may need to follow the US approach of introducing legislation to hold IT suppliers financially accountable for inadequate attention to security in their products. Although such a change will take time and face opposition from software suppliers, it appears to be the direction in which the industry is heading.
Menu
