You don’t need to (and shouldn’t) hold the lowest level employees responsible. Just hold the company responsible with severe fines, like their entire revenue for a year or something. For gross malfeasance, hold the CEO and CISO (or CTO) responsible. That would be enough to see budgets for application and network security teams and training skyrocket. Right now those budgets are as small as possible to avoid catastrophic brand risk.

First of all, there are better ways to deal with anything than privateering. There’s a reason why all countries in the world have abandoned it.

I mean, mostly that is because speed of communication increased significantly and most of the major powers increasingly formed alliances that were mostly to enhance trade. So having Captain Ron murder all the cargo ships on behalf of England would not only hurt England’s pockets but also get out really fast.

Secondly, everybody is operating under the assumption that cybercrime is something that happens and there’s no way around it. I contend that if software vendors were penally responsible for vulnerabilities in their software, you’d see a dramatic reduction in hacks very, very quickly.

A dedicated blackhat is like someone who is dedicated to getting into your house. You can take precautions but if they want in, they’ll get in. Which is why there is so much emphasis on threat detection and policies to react to them.

Probably closer to twenty years ago than not, there was a pretty fun show on Discovery (?) called “To Catch a Crook” or something. The premise being that two brothers used to be burglars but now help families improve their security by selling name branded security systems. Every episode would begin with them breaking in, explaining how, and the security system would be installed. Then they would try again and always get in because the family didn’t turn it on or they left an upstairs window open or whatever. Except for one episode where the family DID actually follow all best practices… so they just smashed a window and stole shit before the cops got there.

As in, if a piece of software is exploited, the engineers who worked on it, their managers and the CEO of their company had better come up with extensive documentation proving how they did their best to implement security before releasing the unfortunate piece of code

This already exists. And much of the software that the world actually runs on has regular security audits from third parties and even governments. They suck but they are also what lead to “We are going to make damned sure every merge request has a detailed review” and so forth.

This is why “supply chain hardening” is such a big deal and why Canonical and Redhat exist.

or all of that bunch gets to spend time in the slammer. (…) If this was implemented into law, I guarantee you software would become very secure across the board in no time flat.

If this was the law, I guarantee you that every software company subject to these laws would shut down instantly. And the ones that are left would be structured as a series of shell companies to minimize liability and flee the country.

---

Don’t get me wrong. I don’t think (official) letters of marque are at all a good idea for the same reasons we migrated away from them as a people: They are just a way to trace liability and trigger a war. But basically giving hackers the PMC treatment (which russia, china, north korea, etc already publicly do) and sending them after enemy infrastructure? Welcome to the cold war of the 21st century… assuming we don’t just go hot in the next year or two.

My god, exactly this. Instead of AI slop features being slammed into every nook and cranny, we’d see software release rate slow to a crawl. Features would take way longer to produce and that would be a good thing. Software engineering licensing should also be a thing, just like with other engineering disciplines. Imagine if your building or bridge were treated like a typical software product. God damn terrifying. It is time for this discipline to grow up.