Ed Felten has some interesting reflections on the threat of cyberattack on the US information infrastructure. He puts his finger on the nub of the problem:
the traditional governmental processes are ill-suited for addressing cyberthreats. The main reason is that national security processes result in plans for governmental action; but the cyberthreat problem can be solved only by private action. The cyber infrastructure is in private hands, and is designed to serve private ends. Government can’t easily change it.
So what can be done? One idea he discusses is that since unprotected computers in private hands make the entire infrastructure vulnerable, then perhaps individual computer users ought to be personally liable for damage caused by their carelessness/ignorance. Ed points out that there are lots of things wrong with this idea. But, oddly, he doesn’t discuss another obvious possibility — that software manufacturers like Microsoft should be legally liable for damage caused by the security holes in their products. I’ve never understood why the computer industry should be able to avoid liability in this way. Just imagine the fuss there would be if automobile manufacturers were able to avoid being held responsible for flaws in their products. It’s unthinkable. But we tolerate this crazy situation with computers. Why?