The US National Highway Traffic Safety Administration (NHTSA) is dedicated to its mission: “to save lives, prevent injuries, and reduce economic costs due to traffic accidents through education, research, safety standards, and enforcement.” Is it time to create a similar organization dedicated to consumer software security? The mission would be quite similar: to ensure that software meets basic safety and security standards and is easy for consumers to understand, implement and maintain.
Today, cars must meet a basic safety standard before being approved for sale to the public, but software does not. How can we make it easier for every American to protect themselves and their data from digital crimes?
Meeting basic safety and security needs
Uber’s Android app has more than 10 million lines of code (at launch it only had about 10,000), almost as many as the typical smartphone operating system, which comes in at about 12 million lines of code. On smartphones, there are thousands of settings available. Many affect security and privacy and are configurable by end users, which is important to most users. Unfortunately, many software and device users don’t realize that they need to consider each of these configurations carefully. Not only because the wrong configuration could expose them to potential attackers, but also to protect them from legitimate attempts to use their data in ways that might expose them more than they realize.
Few software and devices by default protect users from exposing themselves to attacks or overly permissive data access, making consumers easy targets for malicious actors. To increase software security, security features must be in place by default, but users must also use these features to be effective.
Creation of security assessments
One problem with consumer software security is that the software and device manufacturers do not warn people about the danger of using them with the default configuration. There are many rating agencies that tell customers about the safety profile of their vehicles. NHTSA provides vehicle safety ratings so consumers can choose the safest vehicles and easily learn about recalls. There is also the Insurance Institute for Highway Safety (IIHS), an independent nonprofit organization that conducts research and evaluation to educate consumers, policy makers, and safety professionals. Consumers can use information from these organizations to balance the functionality they want with critical security features. This allows consumers to make an informed choice about functionality and safety when choosing a vehicle.
It is understandably a daunting task for software developers to perform extensive software testing to identify and fix all possible bugs before release. It is a tedious, complex and error-prone process. Still, the White House has called for improving the software supply chain in Section 4 of the executive order on improving the nation’s cybersecurity. Although it is challenging (and perhaps impossible) to release bug-free software, it is not difficult to warn customers that they should review and change the default settings.
This warning should come with all software apps and devices. Ideally, it should be more accessible than a long, hard-to-parse terms and conditions page or a small, poorly translated piece of paper in the device box. It should be easy to read and understand at a glance, rather than requiring a magnifying glass, knowledge of legalese and a lot of patience.
In addition to warning consumers that using an application’s default configuration may be risky, we could develop a rating system that allows consumers to know that what they are buying is inherently risky so that they can consciously make the same considerations as they do when choosing a vehicle. For example, a rating system might consider:
- The ways in which a particular operating system or application has been attacked in the past.
- The number of security patches required over time to make the application more secure.
- The security features of the application, such as encryption, authentication and authorization.
- The organization’s privacy practices, including how it collects and uses user data.
This can steer a user away from a product – or at least increase their awareness of its safety profile over time. For example, some internet browsers are well known to be more risky than others. What if they came with a security assessment beforehand? Users could rely on this assessment to decide whether they are willing to make a trade-off between functionality and security.
The role of the consumer in software security
With so much software in users’ hands all day, every day, it’s imperative that they start their own security and privacy review of the software and devices they use. Most users focus only on configuring the features and applications that are important to them. While some are important usability features, users must also realize that there is much more involved. The applications they use interact with operating system settings, which can cause the application to expose them to a higher risk.
Our role as security educators and software providers should be to encourage users to review all default settings on new out-of-the-box software and devices and make changes as needed. Unfortunately, this is far from an easy task for most users.
Currently, guides are available to help users navigate through the configuration of the most important settings, allowing them to determine the balance between functionality and security and privacy. For example, Consumer Reports released its “Guide to Digital Security and Privacy” to help consumers stay safe online, control online tracking, and protect phones and laptops from attackers. Although these guides are useful, far too few users read and take advantage of them. A simple security rating system that aligns with the current administration’s broader cybersecurity policies could ensure that consumers understand the basics of how to keep themselves—and their software and devices—safe and secure.