The Increasing Need for Regulation of the Software Industry

Every day the typical American life is further ensnared in software. As the potential for this software to inflict damage increases so too increases the need to ensure its quality. The risk taken by the user is high when software fails: personal information is leaked, credit is ruined, money is stolen. But the risk of the software producer—the entity which profits from such a relationship—is low, usually no more than a small fee and fleeting publicity.

Each online service you've signed up for is a ticking time bomb. It's about time they explode not only in face of the users but in the face of the profiteer as well.

The brunt of the work performed within the software industry is by individuals with the job title of Software Engineer. Yet, this moniker is merely a misnomer. A true engineer must go through rigorous training, pass exams of competency, swear to uphold a degree of ethics, and risks being disbarred if they make a costly mistake. These safeguards do not exist in the software industry.

“Move Fast and Break Things” is the motto by which many Silicon Valley companies abide. But, in the age where a massive security breach leaks the credentials of millions of people every other week, this motto is proving to be dangerously out of date.

When Facebook recently leaked photos of several million users and allowed access to private information of tens of millions of users, at least one could argue that the user chose to upload such content. The old adage is that as soon as something is uploaded then all privacy is lost. As Mark Zuckerberg originally put it, ‘People just submitted it. I don't know why. They “trust me”’. Is this really the bar we want to set in a world of ubiquitous internet access?

Facebook is an entirely optional service. What about the services we can't hide from at all? Equifax recently had a breach which included names, addresses, and Social Security Numbers of 143 million Americans. Private financial data is constantly fed to these Credit Bureau companies—an act which an individual has almost no control over. Both the U.S. Credit System, and the nine digit Social Security Number, are entirely obsolete thanks to this breach.

These leaks are exasperated by the fact that most users reuse the same password across multiple services. Have you, personally, ever reused a password? The threat isn't that a hacker scrolls through a massive spreadsheet of usernames and passwords and tries to login by hand, potentially selecting your entry from the list. The reality is that automated bots attempt to login to hundreds of popular websites with each credential discovered in a leak.

If the software industry truly had accountability then there would be an innate need for every software developer to keep operating systems updated, expire old database entries, encrypt passwords, etc. The E.U. General Data Protection Regulation (GDPR) is making great strides when it comes to requiring companies to secure personal information—as well as punishing companies which don't comply. A GDPR violation can result in a fine of €20 million or 4% of global revenue, whichever is higher. Unfortunately, an equivalent to the GDPR doesn't yet exist in the U.S. Even if it did we would still have much more to do as an industry. The motivation to build correct software must be ingrained within every Software Engineer—a line item on a work order isn't motivation enough.

Today's consequences for buggy software include the loss of intimately personal data such as financial history, medical records, and private conversations. Tomorrow's consequences will directly lead to the loss of human lives. Consider the self-driving destiny of cars, trains, and airplanes. What will the consequence be when a Software Engineer neglects to change the default password of a piece of networking equipment embedded within a fleet of airplanes?

With the ever-increasing foothold that software has on the life of every American, and the ensuing risks that come with it, tighter regulations on individuals within the industry simply must be imposed. This will require adhering to standards of ethics. This will require the disbarring of a Software Engineer who makes a series of grave mistakes—and has been judged accordingly by their peers. This will require that we finally treat Software Engineers as engineers.

The failures which led to the Equifax breach, in the eyes of any skilled Software Engineer, are tragically comical. These were Computer Science 101 mistakes. The damage caused by Equifax's negligence should have resulted in enough fines to bankrupt the company, not to mention the disbarring of several Software Engineers. As a nation we should be clamoring to design an alternative system in an attempt to both undo the damage and mitigate future incidents.

“Regulation Stifles Innovation” is the battle cry of the Silicon Valley startup. How long until the American people are forced—wounded and bleeding—to reply with “Reckless Innovation Kills”?

Thomas has contributed to dozens of enterprise Node.js services and has worked for a company dedicated to securing Node.js. He has spoken at several conferences on Node.js and JavaScript and is an O'Reilly published author.