Software companies appear to be having a rude awakening, as described in Dan Strumpf’s article, “Liability Issues Create Potholes On the Road to Driverless Cars,” in The Wall Street Journal of January 28, 2013.
Commercial software companies have long gotten away with taking no responsibility for the functionality of their software. As long ago as June 18, 1999, my letter to the Editor of The New York Times, with the title, “Are ‘Viruses’ Naughty by Nature?” was published. The letter was as follows:
“Re ‘Illness as a Metaphor for Computer Bugs’ (news article, June 14): In fact it is the biological analogy itself that most hampers attempts to eradicate the viruses and bugs that cost us hundreds of millions of dollars a year in the purchase of antivirus software, destroyed information and lost productivity.
The common impression that it all comes down to a battle between the virus creators and virus destroyers prevents us from recognizing the real culprits: the software manufacturers who are getting away with and even profiting from their own products’ deficiencies.
The push to bring new and improved products to market at the lowest cost results in program developers’ cutting corners. If we were to insist on having defenses built into the products we buy, there would be no need to suffer the consequences of virus attacks or to spend so much trying to defend ourselves against them.
When we buy a car, we expect certain safety features to be built in, and if they don’t work, then the vehicle is recalled and fixed at no charge. We should expect the same guarantee from software developers.”
What goes around comes around. Suddenly the two separate worlds of commercial software development and the safety of vehicles are converging. As I point out in my book “Engineering Safe and Secure Software Systems” (Artech House, 2012), the cultures of information system software developers and of software safety engineers are very different and there is a question as to whether they can be brought together as is needed for driverless vehicles. Information system creators and operators, such as Microsoft, IBM, Google and the like, make no assertions with respect to the operability and fitness for purpose of what they write and sell. Common software contracts basically say that there are no guarantees … let the buyer beware! However, the automotive industry, as well as other industries, such as aviation, have to meet very specific standards for the software that they develop and insert into vehicles. Not so for commercial software. Therefore we have a disconnect, as can be seen in the Strumpf article.
The liability issues relating to driverless vehicles are but the start of a long and tortuous discussion about how we account for security and safety in cyber-physical systems. Commercial software companies will have to understand that the free ride that they have been able to maintain all these decades no longer applies when software is used to power life-threatening and harm-threatening systems. This will be a rude awakening for many, but is something that they are going to have to get used to if they hope to operate in the world of hazards.