If you are one of the many people who have suffered from a critical loss of data or hampered software performance in the wake of the “Mydoom” or the “Sobig” viruses by opening that seemingly harmless email attachment (and you know who you are), you are far from being alone. One security expert estimates that at the peak of the “Mydoom” virus in January of 2004, one in twelve emails carried the virus. In addition, viruses are increasingly being propagated with the benign appearance of being sent from a known friend or organization, thus adding a multiplicative effect to the economic carnage that these viruses induce.
Besides taking the obvious step of criminally prosecuting the creators of these invidious programs, the most effective path to reaching the goal of minimizing the effect of these attacks is anything but clear. On the supply side, we may prefer to have our software companies create their products with a market-optimized incentive for minimizing the “holes” or susceptibility of its products to these viruses. One particular group of trial lawyers is seeking to add a little “punch” to this market incentive by filing a class-action product liability lawsuit against Microsoft. The complaint, filed in State Superior Court in Los Angeles, alleges that Microsoft’s Windows operating system is riddled with security flaws, and that Microsoft is aware of this fact and does little to warn or help consumers. Assuming that the class-action status of this suit is valid, many interested observers of this case recognize the inherent hurdles that face the plaintiffs. Besides the facial difference between a software program like Windows, and say, a faulty automobile, companies like Microsoft often license, rather than outright sell their products. Thus, they make access contingent on the end-user agreeing to a number of terms that absolve the company of liability.
However the legal issues are adjudicated in the sure-to-be-coming wave of product liability suits against software companies, the policy question of whether software companies should be held liable for not sufficiently protecting consumers against this viral havoc looms large. If the California and American judicial systems declare that software companies are liable for the damages caused by viruses, these firms would understandably decide to insure themselves against the massive downside of class-action product liability. Enter the insurance industry with its army of actuarial tables and risk calculations. The insurance market, as is its nature, would thus adjust insurance premiums according to the liability risk being shifted by any particular software company. Since this risk would presumably be measured by objective evaluations of how secure and “hole-proof” a firm’s software is, software companies would thus possess the market incentive to prepare errorless and glitch-free programs in the avoidance of high premiums.
There is a countervailing argument against allowing the insurance industry to waltz in to provide economic incentives for the creation of secure software. High insurance premiums that add to the costs of conducting business may have a “chilling” effect on the creativity and incentive to enter the software business, particularly with smaller, niche software companies. Stanford University’s Lawrence Lessig, an expert on cyberlaw, disagrees by pontificating that smaller firms would “not present much of a target to hackers, and would thus pay negligible premiums.” Firms like Microsoft would no doubt also claim that the reputational damage caused by being blitzkrieg-ed is incentive enough to devote adequate resources to code security.
It is well known in the annals of popular culture that Bill Gates and Warren Buffet, two of the wealthiest men on the planet, are friends and occasionally play cards with each other. But it is yet to be seen or exhaustively argued whether the chairman of the world’s largest software company and the chairman of one of the world’s largest insurance holding companies should be commiserating a little more than at the Texas Holdem table.
