Incentives need to change for firms to take cyber-security more seriously

IT HAS been a cracking year for hacking. Barack Obama and the CIA accused Russia of electronic meddling in an attempt to help Donald Trump win the presidency. Details emerged of two enormous data breaches at Yahoo, one of the world’s biggest internet companies; one, in 2013, affected more than a billion people. Other highlights include the hack of the World Anti-Doping Agency; the theft of $81m from the central bank of Bangladesh (only a typo prevented the hackers from making off with much more); and the release of personal details of around 20,000 employees of the FBI. The more closely you look at the darker corners of the internet, the more the phrase “computer security” looks like a contradiction in terms.Why, two decades after the internet began to move out of universities and into people’s homes, are things still so bad? History is one reason: the internet started life as a network for the convenient sharing of academic data. Security was an afterthought. Economics matters, too. Software developers and computer-makers do not necessarily suffer when their products go wrong or are subverted. That weakens the incentives to get security right.