Book Review – Geekonomics: The Real Cost of Insecure Software

By | August 27, 2015

ImageIf you’ve ever wondered why the first thing you have upon booting a new PC, with it’s pristine copy of Microsoft’s latest and greatest, is spend the next few hours loading extraneous security software – anti-virus, spyware protection, firewall, spam filter – David Rice has a theory for you. As he expounds at great length in his first book, Geekonomics, our methods of developing software are crude and error prone, with the industry valuing speed and features over quality and security.

While the book’s subtitle, “The Real Cost of Insecure Software”, suggests an emphasis on software security holes that regularly make news, the vista of poor software quality Rice describes extends far beyond incidents involving hackers and identity thieves. Whereas many software flaws are merely an inconvenience, some of Rice’s most egregious examples are tragic; such as the time software controlling an X-Ray machine designed to treat cancerous tumors malfunctioned and, lacking hardware failsafes used on prior models, delivered massive doses of radiation that killed six patients.

Major Themes

Modern software is some of the most complex creations of mankind and Rice begins his work by outlining the myriad ways sophisticated programming code is pervading almost every aspect of modern life – from mobile phones to airliners, it “cuts across almost every aspect of global, national, social, and economic function.” Yet unlike materials such as cement (an analogy he uses frequently) or steel that form the foundations of our physical infrastructure, software is infested with design and implementation defects that Rice contends are easily preventable.

The reasons for software’s poor quality are legion. Rice decries the industry’s economic incentives that reward speed and functionality over reliability and security – a condition ironically summed up by former Apple executive Guy Kawasaki in one of his rules for success during the go-go dot-com days, “Don’t Worry, Be Crappy.” Aggravating the problem is a software sales model that Rice describes as shifting responsibility for product maintenance and upkeep to end users away from manufacturers and that relies upon a licensing (instead of outright ownership) model enabling vendors to dictate favorable terms of purchase.

Key Concepts

  • Software is one of the core “construction materials” of modern civilization and has crept into almost all aspects of 21st Century life
  • Despite it’s importance to society, software’s means of production, acquisition and maintenance are flawed, leading to unacceptable product quality, reliability and security
  • Examples of the effects of shoddy software are legion, with the deleterious effects resulting in substantial financial, and in some cases, human costs
  • While the software ecosystem is currently broken, it’s not irreparable; legal, engineering and professional reforms are available that can bring software production up to normative standards for similar products having wide scale societal impact

Rice cites a legal framework that doesn’t hold manufacturers responsible for software defects nor resulting damages as supporting this lack of accountability. Finally, Rice laments the lack of rigorous software engineering standards and practitioner licensing. This litany of problems leads to a sense of despair and distrust on behalf of users, sustaining low expectations of software quality.

The majority of the book is dedicated to explicating the structural problems that create a ‘fast and loose’ environment for software production, however Rice concludes with a faint (or perhaps just feigned) bit of optimism by offering some potential solutions. He recounts each of the major problem areas and suggests ways of filling gaps in the current state of affairs. For example, to address a legal system that allows software vendors to escape responsibility for errors or security holes in their products, Rice suggests legislation or class action lawsuits aimed at applying legal theories of liability and negligence – just as they pertain to car or drug manufacturers. In order to bring a higher degree of professionalism, accountability and standardization to workers in the software industry, he recommends states or professional bodies such as the ACM or IEEE develop licensing standards and requirements for software engineers similar to those imposed on civil engineers, doctors or lawyers.

Evaluation and Conclusion

Despite the title, the only thing geeky about Rice’s book is the object of his wrath – software. The book seldom strays into technical minutia. It’s really a public policy treatise about the role of software in modern life and how our public institutions should apply policies and remedies used in other realms to that of software development, sales and ownership. While IT managers can certainly benefit from Rice’s detailed explanation of the causes and effects of shoddy software, the book is a must read for legislators, legal scholars and public policy wonks searching for ways to lift software to the standards of excellence and safety required for any of civilization’s critical infrastructure.

Bibliography: Geekonomics: The Real Cost of Insecure Software

  • Author:  David Rice
  • Publisher: Addison-Wesley Professional (November 28, 2007)
  • Price: $29.99 (list)
  • ISBN-10: 0-321-47789-8
  • ISBN-13: 978-0-321-47789-7
  • Hardcover: 362 pages
  • AmazonGoogle Books