When I learned that Edward Snowden would be speaking via video at Ohio Wesleyan University recently, I was curious to hear his perspective on security in the corporate world. I had the opportunity there to ask him for his thoughts on the changing attitudes of CIOs on encryption and why it doesn’t seem to be a top-of-mind priority for them, despite everything going on in the news.
“This is fortunate because it's being changed for us. Ultimately this comes down to the calculus of risk vs. reward for these guys. These guys are rational actors, theoretically, they're self-interested, and they're profit driven. It all has to be driven back to the profit motive before them in order for it to make sense.
Now that people have some concern about how their data is being handled, that calculus is beginning to be affected. It's beginning to change, but in some cases it's not as rapid as we need it to be. In some, as you say, they're aware of it, they're kind of interested, but it's not at the top of the plate. However, we are currently experiencing the greatest crisis in computer security in history.
If you look anywhere at any newspaper at any given month, you are seeing an unprecedented hack. Whether it's the DNC, whether it's Yahoo, who just a few days ago revealed more than a year later, that 500 million users' data was compromised. Whether it was the government, the Office of Personnel Management, where everybody's security clearance, background investigation, intensely private details that could be used by foreign intelligence services, things like that, the sort of crown jewels here. Everything is being compromised because of these decisions.
Because of companies going: ‘Selling the product is more important than Securing the product’. There are two ways this is going to work. Either companies are going to get their act together and realize they need to be able to self-regulate in a convincing way, which honestly is going to be difficult to because it's just not their primary expertise. They're not security [experts] most of the time, they're product [experts]. So even when they are trying to do things…offense is easier than defense…
So we have to create a system that protects everyone. And this is going to lead us to structures, I believe, that at some point will impose a liability for negligence in software security. Which means if these companies are not at least making a bare minimum effort, following best practices, using safe languages for example, or getting audits on their code, to make sure they're not at least making at least amateur mistakes that could be trivially detected. Which is how most hacks happen, they will find themselves with a very negative legislative environment that's going to impose an enormous amount of cost on them that I think that they would very much rather avoid.”