As an introduction I would like to give two figures from the first chapters of the book.
- An estimate of the US losses coming from software failures (both quality or security) at the scale of the whole country: $180 bn a year. (yes billion, not million)
- Deaths occur from software failures. Multiple times per year, if they are not numerous enough to make statistics [yet].
David Rice's point
In the beginning of the book, David Rice argues that software developers have no incentives to make a better work. In chapter 5, Absolute Immunity: You Couldn't Sue Us Even If You Wanted To, David Rice shows that the US government is not making anything against software failures. On the contrary, the US gov gives developers the free hands and no responsibilities of any kind if they should get sued over damages resulting from the use of their software.
And he goes for a short explanation that the US system waits for citizens to become plaintiffs and sue software developers before any public authority will react. He quotes the typical reaction that you would get if you tried to make a law about software quality, through Ronald Reagan's words:
Government is not the solution, government is the problem.
I quite agree with the author on the observation. The US gov does nothing, or goes against any initiative geared towards better software. But I don't agree with the far too simple explanation he gives. I guess a $180 bn issue would get a law if there were no incentives for not making a law. And I can see three reasons a country like the US wouldn't want to improve software quality.
- "Don't worry, be crappy". This maxim by Guy Kawasaki summarizes well the way software companies get into the subject. They try to output something they can sell, whatever the quality. But this reasoning also goes for countries. Software is a global trade good, and a big software maker as the US doesn't want to slow down the sales by making quality restrictions. If a law were passed, it would probably impact the economy of the country. Same goes for other developed countries.
In the same train of thoughts, if a law were passed, maybe some development companies would offshore developments.
- We are still in an early phase of software deployment. Though it is recognized that a big company now has to do better IT rather than more IT, it is still important for many countries, including the US, to do more IT, even at the cost of not doing it better. I mean, a country like the US gets a competitive advantage from doing more IT, getting more automated stuff in its services, agencies, its companies, etc. and would "competitively speaking" lose time by concentrating on the improvement of quality and security.
- As is long argued in the book, there is an underground market for security vulnerabilities. This market is the fact of underground hackers, but if the underground does it, there are good reasons to believe that the "official" intelligence services do the same. If so, it is rather possible that intelligence services from the typical countries such as the US, France, Israel, Russia or China (which are coincidentally the biggest software developers) have good interest in keeping a high level of not public, unpatched vulnerabilities. They want to know the vulnerabilities themselves, be able to penetrate a lot of places, especially for industrial eavesdropping, and they absolutely do not want software makers to patch the vulnerabilities.