Marc Andreessen famously said that “software is eating the world.” But with an estimated 4.9 billion Internet-connected things currently in use, and the number of once-isolated or analog systems connected to the Internet growing at a breakneck pace, one might revise Andreessen's quote to say that “interconnected things are eating the world.”
In the excitement to connect everything in the world — from pacemakers, to cars, to home security cameras — security often is neglected, or seen as a later-stage rather than a critical initial component. But a lack of, or poor, security for these burgeoning technologies and newly connected devices can have a significant impact on business and society.
Businesses and society could reap significant advantages if security problems are properly addressed through training, educating, and incentivizing the people that can most influence software security. Recent RAND research found that if the frequency of software vulnerabilities was reduced by half, the overall cost of cybersecurity to companies could decrease by 25 percent.
Despite the best efforts of security professionals within organizations and the broader security community to advocate for creating more secure software and regularly patching vulnerabilities, their voices may not be enough. More needs to be done to drive systematic change in how software is developed and vulnerabilities are addressed.
Code is continually being developed and updated — not just by developers with formal background in computer science, but by virtually every engineer, scientist and entrepreneur with a STEM focus. As the code bases of software and embedded systems people rely on in their day-to-day lives grow to millions of lines of code, software errors will inevitably occur.
Take, for example, a simple iPhone app; it likely has a few thousand lines of code. In comparison, an operating system typically has more than 40 to 50 million. Estimates show (PDF) even after vulnerability testing, approximately one bug remains per every 2,000 lines of code. That could be just one bug in that iPhone app to more than 20,000 in that operating system.
When there is a gap between knowing how to code and knowing how to code securely, issues can occur. Vulnerabilities, poor implementation, or atypical use cases allow attackers to exploit a system for their advantage.
In order to avoid such blunders, those writing the code must understand security so they can create and secure the applications and systems. To do this, training employees can make a significant difference in keeping networks, systems, devices and applications secure.
Training should go beyond those creating or implementing information technology, computers, networks, or security. Rather, companies must invest in all of their people. From the C-suite to the intern, every employee should be trained to have a security mindset — identifying and detecting possible errors. One could liken it to companies training their employees to recognize unwanted strangers on a secured floor — but extend it into the virtual world, a sort of human intrusion detection system.
Beyond preparing and training today's workforce, consider the next generation to fill the corporate world's shoes: students. There is a need to emphasize the importance of security to them.
Secure coding is typically not a part of the core curriculum for computer science majors in college, and is rarely taught in lower levels of education. If this is the next generation of individuals developing the software, creating the devices and building the infrastructure — in both the digital and physical realms — how is security to be ensured?
Where some may see an issue, we see an opportunity. In software development as in many other things in life, it's easier to teach good habits to newcomers than it is to break long-established bad ones among those who've been around for awhile. If the next generation is trained early about the importance of security and how to code securely, future generations will be much better off. There is great progress being made in this area, from the addition of conference tracks and breakout rooms, or "villages," at DEF CON and RSA security conferences to teach young people about security, to new programs with sites like Code.org that build security curriculum for high school students.
Though technology is thoroughly embedded within the average person's life, security is not emphasized to the general user. For example, kids who play games on their iPads or teenagers surfing the web on their phones — do they understand how and when to patch their devices? According to some reports, as few as 20 percent of vulnerabilities get patched on Android devices when needed. Even in the physical realm, when was the last time you considered applying software patches to your toaster, fridge, lights, or home thermostat?
Education is a critical part of solving this issue. By teaching the importance of security to young minds early on and continually bringing awareness to the broader public, technology-based attacks may start to be more tempered.
Realistically, vulnerabilities and edge (or unintended use) cases, will always exist in some way, shape or form. Like humans, technology has its imperfections and weaknesses. However, creating incentives for people can help tackle the software vulnerability issue.
Bug bounty programs and in-company competitions are perfect examples. They help improve the general good of society while preventing security incidents. Bug bounty programs — run by vendors like Microsoft and Facebook, or by third parties like HackerOne and BugCrowd — offer rewards for uncovering software vulnerabilities or exploitation techniques, either through monetary incentives or by offering recognition, which is a valuable currency in many security research circles. In-company competitions can incentivize employees to keep their systems up-to-date and patched, or be vigilant for potential spear phishing campaigns.
As the world becomes more dependent on technology, connected devices and networked systems, securing the underlying software takes on increasing importance. The need to understand these implications and take action is real.
Training, education and incentives are by no means the cure-alls to software vulnerabilities, but they are core concepts that will help create a safer world in the future, where everyone is less vulnerable than they are today.
Sherry Ryan is IT vice president and chief information security officer at Juniper Networks. Lillian Ablon is a cybersecurity and emerging technologies researcher at the RAND Corporation.
This commentary originally appeared on The Huffington Post on February 17, 2016. Commentary gives RAND researchers a platform to convey insights based on their professional expertise and often on their peer-reviewed research and analysis.