Get the Global IP Investigations and Enforcement Perspective

Industry content delivered straight to your inbox.
Email address
Secure and Spam free...

Cybersecurity’s Real Problem? It’s the Software, Dummy.

For years we have heard about nation-state hackers, ransomware gangs, and sophisticated cybercriminals exploiting software vulnerabilities. The discussion almost always centers on the attackers.

Former Director of the U.S. Cybersecurity and Infrastructure Security Agency (CISA) Jen Easterly believes we have been looking at the problem from the wrong end.

“We really don’t have a cybersecurity problem. We fundamentally have a software quality problem.”

That simple observation may explain more about today’s cyber threat landscape than almost any discussion about hackers.


A Consistent Message

More than two years ago I wrote about Easterly’s concerns following a speech in which she argued that software manufacturers should be held to a higher standard of responsibility.

At the time, she warned that technology companies had been allowed to prioritize speed to market over security. She also called for a software liability regime that would hold manufacturers accountable for releasing products with preventable vulnerabilities.

Unfortunately, listening to Easterly recently on The Long Game podcast with Jake Sullivan and Jon Finer, it appears that not much has changed.

The message remains the same.


A Market Failure

According to Easterly, the cybersecurity challenge is fundamentally an economic problem.

Software manufacturers have been rewarded for:

  • Shipping products quickly
  • Adding attractive new features
  • Reducing development costs
  • Keeping customers happy

Security, she argues, has often become an afterthought.

“Software manufacturers were allowed to prioritize speed to market over security.”

Instead of designing secure products from the beginning, vulnerabilities have been addressed through years of what she described as “rickety patches.”

Even worse, software companies have transferred much of the resulting cyber risk to their customers.

As she noted, many software contracts effectively tell buyers:

“You bear the entire risk of this purchase.”


Secure by Design

While serving as CISA Director, Easterly championed a philosophy she called Secure by Design—encouraging software manufacturers to build security into products from the beginning rather than attempting to bolt it on later.

She also urged organizations purchasing software to adopt Secure by Demand, using their buying power to insist on stronger security standards.

The goal was straightforward: change the market incentives.


Changing the Incentives

Easterly argues that vendors are still not sufficiently rewarded for producing secure software.

Instead, the marketplace continues to reward:

  • Convenience
  • Speed
  • Innovation
  • Lower costs

…while security often remains secondary.

She describes this as a classic market failure.

“Everyone has bought into the myth that there’s nothing we can do about it… like an act of God or a weather event.”

Her point is that insecure software is not inevitable.

It is the result of incentives.

And incentives can be changed.


IP PROBE TAKEAWAY

Near the conclusion of the podcast, Easterly offered what may be the most important observation of the entire discussion:

“It is the greatest transfer of risk since the dawn of the Internet.”

That statement immediately reminded me of General Keith Alexander’s famous warning in 2012, when the former Director of the National Security Agency described the theft of intellectual property as:

“…the greatest transfer of wealth in history.”

Alexander focused our attention on what was being stolen.

Easterly focuses our attention on why it is so easy to steal.

Perhaps we’ve been looking at the problem backwards all along.

Cybersecurity’s real problem isn’t simply the hackers.

Until we change the incentives that reward insecure software, we should not be surprised when our adversaries continue to exploit it.

DisclaimerIPProbe.Global is a service to the professional IP community. While every effort has been made to check the information in this blog, we provide no guarantees or warranties, express or implied, regarding the content provided in IPProbe.Global. We disclaim all liability and responsibility for the qualification or accuracy of representations made by the contributors or for any disputes that may arise. It is the responsibility of the readers to independently investigate and verify the credentials of such persons and the accuracy and validity of the information provided by them. This blog is for general information only and is not intended to provide legal or other professional advice.

Did you find this post useful?
I agree to have my personal information transfered to MailChimp ( more information )
Join other IP protection professionals, i.e., investigators, attorneys, and brand protection specialists and receive updates straight to your inbox.
We hate spam. Your email address will not be sold or shared with anyone else.

Ron Alvarez is an IP investigations and protection consultant and writer in South Florida. He is a former NYPD lieutenant where he investigated robbery, narcotics, internal affairs, and fine art theft cases. Ron has since coordinated the private investigation of international fraud and money laundering cases, as well as IP-related investigations and research involving the four pillars of IP: copyright, patents, trademarks, and trade secrets. Ron is a graduate of the FBI National Academy and earned a B.A. in Government and Public Administration from John Jay College of Criminal Justice in Manhattan. He has written a number of articles for various investigative publications, as well as publishing "The World of Intellectual Property (IP) Protection and Investigations" in November 2021. In 2022 he published the revised edition of his first murder/mystery novel "Pilgrimage to Ruin" and in 2024 he published his Quantum spy thriller novel "Bird in the Cage."

0 comments on “Cybersecurity’s Real Problem? It’s the Software, Dummy.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Get the Global IP Investigations and Enforcement Perspective

Industry content delivered straight to your inbox.
Email address
Secure and Spam free...

Discover more from IP PROBE - Blog

Subscribe now to keep reading and get access to the full archive.

Continue reading