A different perspective on all this:Equifax and Our Broken Computer Industry
The “Stupid User” Defense
The computer industry has developed a defense that most industries have tried at one point or another: the “stupid user” defense. When a hack occurs, the spotlight turns to the victim, who is said to be responsible for preventing such attacks. Consider my favorite attack: phishing. A phishing attack happens when someone receives an email and clicks on a malicious link contained in the email. This triggers a process where the program linked to the email searches for, finds, and transmits information from the computer to the sender of the email.
The view of the computer industry is that the responsibility for this attack rests with the stupid user who clicked on the link. The computer industry has made it clear that you should never click on a link from an unknown sender. Announcing this has discharged the industry’s responsibility. But assume that a company had 5,000 employees. The probability that one person out of 5,000 would not click on the link is near zero. An effectiveness rate of 99.98% in preventing clicks would not be enough to prevent potential disaster. A business or individual would have to prevent all mistakes perfectly and permanently.
At a higher level, the industry blames the stupid administrator. The security sold with servers, laptops, and the rest is primitive. In selling the equipment, the rule is caveat emptor, let the buyer beware. It is the job of the IT administrator not only to keep things running but also to acquire and maintain a host of security hardware and software to keep the system secure. The problem is not that these tools are fiendishly expensive but that they constantly become obsolete and have to be reconfigured or replaced.
The problem, as I have written before, has to do with the primitive nature of computers. The basic structure of hardware and software was created to allow upgrades and third-party software to run on the systems. Since much of this came from outside vendors, authenticating the legitimacy of the code was difficult. It still is difficult. Computers can play vastly complex games, but they cannot identify malicious code. Computer companies solve the lack of evolution in computer security by pointing at the users. Try this in any other industry and I am reasonably certain that the lawsuits would be flying, regardless of what the fine print on contracts said.
The computer and the car have become utilities where the manufacturers are given great value by society. Cars have roads, and computers have access to the Internet. Both have utilitarian necessity. But cars are expected to maintain certain safety features. It would seem reasonable that an industry whose failures can wreak havoc globally should be expected to build security into its own systems.