Insecure at any speed: why Secure by Design is not enough

As a society, should we mandate secure software? CISA's Secure by Design program calls for voluntary implementation of critical security controls, but safety research, analysis of manager incentives, and the history of auto safety tells us this will not be enough.

In May 2024, the Cybersecurity and Infrastructure Security Agency (CISA) launched the Secure by Design pledge, inspired in part by the 1965 book “Unsafe at any speed”. There are remarkable parallels between automotive safety in the early 1960s and cybersecurity today, including lack of systematic data collection, and customers who are forced to take responsibility for security going right and blame when things go wrong.

While Secure by Design is a good start, the book and market incentives show that the pledge does not go far enough. Software companies are unlikely to make sufficient investments in security, much like the auto manufacturers and safety in the 1960s. Like pollution, security failures impose costs on society that are not paid by the producer. I present a call to action to address the investment gap, as well as a list of additional practices needed to improve the security of software.

Research shows that safety is not good for business, and my own analysis explains why executives under-invest in cybersecurity. The auto safety movement of the 1960s shows what's needed to secure our software-based systems.