For years we have heard about nation-state hackers, ransomware gangs, and sophisticated cybercriminals exploiting software vulnerabilities. The discussion almost always centers on the attackers.

Former Director of the U.S. Cybersecurity and Infrastructure Security Agency (CISA) Jen Easterly believes we have been looking at the problem from the wrong end.
“We really don’t have a cybersecurity problem. We fundamentally have a software quality problem.”
That simple observation may explain more about today’s cyber threat landscape than almost any discussion about hackers.
A Consistent Message
More than two years ago I wrote about Easterly’s concerns following a speech in which she argued that software manufacturers should be held to a higher standard of responsibility.
At the time, she warned that technology companies had been allowed to prioritize speed to market over security. She also called for a software liability regime that would hold manufacturers accountable for releasing products with preventable vulnerabilities.
Unfortunately, listening to Easterly recently on The Long Game podcast with Jake Sullivan and Jon Finer, it appears that not much has changed.
The message remains the same.
A Market Failure
According to Easterly, the cybersecurity challenge is fundamentally an economic problem.
Software manufacturers have been rewarded for:
- Shipping products quickly
- Adding attractive new features
- Reducing development costs
- Keeping customers happy
Security, she argues, has often become an afterthought.
“Software manufacturers were allowed to prioritize speed to market over security.”
Instead of designing secure products from the beginning, vulnerabilities have been addressed through years of what she described as “rickety patches.”
Even worse, software companies have transferred much of the resulting cyber risk to their customers.
As she noted, many software contracts effectively tell buyers:
“You bear the entire risk of this purchase.”
Secure by Design
While serving as CISA Director, Easterly championed a philosophy she called Secure by Design—encouraging software manufacturers to build security into products from the beginning rather than attempting to bolt it on later.
She also urged organizations purchasing software to adopt Secure by Demand, using their buying power to insist on stronger security standards.
The goal was straightforward: change the market incentives.
Changing the Incentives
Easterly argues that vendors are still not sufficiently rewarded for producing secure software.
Instead, the marketplace continues to reward:
- Convenience
- Speed
- Innovation
- Lower costs
…while security often remains secondary.
She describes this as a classic market failure.
“Everyone has bought into the myth that there’s nothing we can do about it… like an act of God or a weather event.”
Her point is that insecure software is not inevitable.
It is the result of incentives.
And incentives can be changed.
IP PROBE TAKEAWAY
Near the conclusion of the podcast, Easterly offered what may be the most important observation of the entire discussion:
“It is the greatest transfer of risk since the dawn of the Internet.”
That statement immediately reminded me of General Keith Alexander’s famous warning in 2012, when the former Director of the National Security Agency described the theft of intellectual property as:
“…the greatest transfer of wealth in history.”
Alexander focused our attention on what was being stolen.
Easterly focuses our attention on why it is so easy to steal.
Perhaps we’ve been looking at the problem backwards all along.
Cybersecurity’s real problem isn’t simply the hackers.
Until we change the incentives that reward insecure software, we should not be surprised when our adversaries continue to exploit it.
Disclaimer: IPProbe.Global is a service to the professional IP community. While every effort has been made to check the information in this blog, we provide no guarantees or warranties, express or implied, regarding the content provided in IPProbe.Global. We disclaim all liability and responsibility for the qualification or accuracy of representations made by the contributors or for any disputes that may arise. It is the responsibility of the readers to independently investigate and verify the credentials of such persons and the accuracy and validity of the information provided by them. This blog is for general information only and is not intended to provide legal or other professional advice.

0 comments on “Cybersecurity’s Real Problem? It’s the Software, Dummy.”