The Real Cost of Insecure Software: The Foundation of Civilization
- “The value of a thing sometimes lies not in what one attains with it, but in what one pays for it—what it costs us.”
- —Frederick Nietzsche
For the city of London, 1854 was a dreadful year. An outbreak of cholera, the third in 20 years, claimed over ten thousand lives. Six previous city Commissions failed to adequately address London’s growing sewage problem, leaving the entire metropolitan area—more than one million people—subject to the vagaries of overflowing cesspools, ill-constructed sewers, contaminated groundwater, and a dangerously polluted Thames River. Considering London was one of the most populated cities at the time and depended heavily on the Thames River, inaction had unfortunate consequences. Sadly, thousands of deaths could not properly motivate Parliament to overcome numerous bureaucratic and political obstacles required to address the crisis.
It was not until an inordinately hot summer in 1858 that the stench of the Thames so overwhelmed all those in close proximity to the river—particularly members of Parliament, many of whom still believed cholera to be an airborne rather than a waterborne pathogen—that resistance finally subsided. The “Great Stink” served as impetus to the largest civic works project London had ever seen.1
For the next ten years, Joseph Bazalgette, Chief Engineer of the Metropolitan Board of Works, constructed London’s newer and larger sewer network against imposing odds. Despite Parliament’s hard-won support and a remarkable design by Bazalgette himself, building a new sewer network in an active and sprawling city raised significant technical and engineering challenges.
Most obvious among these challenges was excavating sewer lines while minimizing disruption to local businesses and the city’s necessary daily activities. Less obvious, but no less important, was selecting contracting methods and building materials for such an enormous project. Modern public works projects such as the California Aqueduct, the U.S. Interstate highway system, or China’s Three Gorges Dam elicit images of enormous quantities of coordination and concrete. Initially, Bazalgette enjoyed neither.
Selecting suitable building materials was an especially important engineering decision, one that Bazalgette did not take lightly. Building materials needed to bear considerable strain from overhead traffic and buildings as well as survive prolonged exposure to and immersion in water. Traditionally, engineers at the time would have selected Roman cement, a common and inexpensive material used since the fourteenth century, to construct the extensive underground brickworks required for the new sewer system. Roman cement gets its name from its extensive use by the Romans to construct the infrastructure for their republic and empire. The “recipe” for Roman cement was lost during the Dark Ages only to be rediscovered during the Renaissance. This bit of history aside, Bazalgette chose to avoid Roman cement for laying the sewer’s brickwork and instead opted in favor of a newer, stronger, but more expensive type of cement called Portland cement.
Portland cement was invented in the kitchen of a British bricklayer named Joseph Aspdin in 1824. What Aspdin discovered during his experimentation that the Romans did not (or were not aware of) was that by first heating some of the ingredients of cement—finely ground limestone and clay—the silica in the clay bonded with the calcium in the limestone, creating a far more durable concrete, one that chemically interacted with any aggregates such as stone or sand added to the cement mixture. Roman cement, in comparison, does not chemically interact with aggregates and therefore simply holds them in suspension. This makes Roman cement weaker in comparison to Portland cement but only in relative, not absolute terms. Many substantial Roman structures including roadways, buildings, and seaports survived nearly 2,000 years to the present.
It is the chemical reaction discovered by Aspdin that gives Portland cement its amazing durability and strength over Roman cement. This chemical reaction also gives Portland cement the interesting characteristic of gaining in strength with both age and immersion in water.2 If traditional cement sets in one day, Portland cement will be more than four times as hard after a week and over eight times as hard in five years.3 In choosing a material for such a massive and important project as the London sewer, Portland cement might have rightly appeared to Bazalgette as the obvious choice. There was only one problem: Portland cement is unreliable if the production process varies even slightly.
The strength and therefore the reliability of Portland cement is significantly diminished by what would appear to the average observer as minuscule, almost trivial changes in mixture ratios, kiln temperature, or grinding process. In the mid-nineteenth century, quality control processes were largely non-existent, and where they did exist were inconsistently employed—based more on personal opinion rather than objective criteria. The “state of the art” in nineteenth century quality control meant that while Portland cement was promising, it was a risky choice on the part of Bazalgette. To mitigate any inconsistencies in producing Portland cement for the sewer project, Bazalgette created rigorous, objective, and some would say draconian testing procedures to ensure each batch of Portland cement afforded the necessary resiliency and strength. His reputation as an engineer and the success of the project depended on it.
Bazalgette enforced the following regimen: Delivered cement sat at the construction site for at least three weeks to acclimate to local environmental conditions. After the elapsed time, samples were taken from every tenth sack and made into molds that were immediately dropped into water where the concrete would remain for seven days. Afterward, samples were tested for strength. If any sample failed to bear weight of at least five hundred pounds (more than twice that of Roman cement), the entire delivery was rejected.4 By 1865, more than 11,587 tests were conducted on 70,000 tons of cement for the southern section of the sewerage alone.5 Bazalgette’s testing methodology proved so thorough, the Metropolitan Board who oversaw the project eventually agreed to Bazalgette’s request to construct sewers entirely from concrete. This not only decreased the time required to construct the sewerage, but eliminated the considerable associated cost of the brickworks themselves.6
Once completed, Bazalgette’s sewer system saved hundreds of thousands of lives by preventing future cholera and typhoid epidemics.7 The sewer system also made the Thames one of the cleanest metropolitan rivers in the world and changed the face of river-side London forever. By 1872, the Registrar-General’s Annual Report stated that the annual death rate in London was far below any other major European, American, or Indian city, and at 3.3 million people (almost three times the population from the time Bazalgette started his project), London was by far the largest city in the world. This state of affairs was unprecedented for the time. By 1896 cholera was so rare in London, the Registrar-General classified cholera as an “exotic disease.” Bazalgette’s sewer network, as well as the original cement used in its construction, remains in use to this day. Given that Portland cement increases with strength over time, it is likely London’s sewer system will outlive even some of Rome’s longest standing architectural accomplishments such as the aqueducts and the Pantheon.
Software and Cement
While Bazalgette’s design of the sewer network was certainly important, in hindsight the selection and qualification of Portland cement was arguably the most critical aspect to the project’s success. Had Bazalgette not enforced strict quality control on production of Portland cement, the outcome of the “Great Stink of London” might have been far different. Due to Bazalgette’s efforts and the resounding success of the London sewer system, Portland cement progressed in a few short years from “promising but risky” to the industry standard used in just about every major construction project from that time onward.
Portland cement’s popularity then, is due not just to its physical properties, but in large part to Bazalgette’s strict and rigorous quality tests, which drastically reduced potential uncertainties associated with Portland cement’s production. At present, more than 20 separate tests are used to ensure the quality of Portland cement, significantly more than Bazalgette himself employed. World production of Portland cement exceeded two billion metric tons in 2005, with China accounting for nearly half of that production followed closely by India and the United States.8 This works out to roughly 2.5 tons of cement for every person on the planet. Without Portland cement, much of modern civilization as we know it, see it, live on it, and drive on it would fail to exist.
Cement is everywhere in modern civilization. Mixed with aggregates such as sand and stone, it forms concrete that comprises roadways, bridges, tunnels, building foundations, walls, floors, airports, docks, dams, aqueducts, pipes, and the list goes on. Cement is—quite literally—the foundation of modern civilization, creating the infrastructure that supports billions of lives around the globe. One cannot live in modern civilization without touching, seeing, or relying on cement in one way or another. Our very lives depend on cement, yet cement has proven so reliable due to strict quality controls that it has to a large extent disappeared from our field of concerns—even though we are surrounded by it. Such is the legacy of Bazalgette’s commitment to quality: We can live our lives without thinking twice about what is beneath our feet, or more importantly, what may be above our head.
Civilization depends on infrastructure, and infrastructure depends, at least in part, on durable, reliable cement. Due to its versatility, cost-effectiveness, and broad availability, cement has provided options in construction that could not otherwise be attained with stone, wood, or steel alone. But since the 1950s, a new material has been slowly and unrelentingly injected into modern infrastructure, one that is far more versatile, cost-effective, and widely available than cement could ever hope to be. It also just so happens to be invisible and unvisualizable. In fact, it is not a material at all. It is software.
Like cement, software is everywhere in modern civilization. Software is in your mobile phone, on your home computer, in cars, airplanes, hospitals, businesses, public utilities, financial systems, and national defense systems. Software is an increasingly critical component in the operation of infrastructures, cutting across almost every aspect of global, national, social, and economic function. One cannot live in modern civilization without touching, being touched by, or depending on software in one way or another.
Software helps deliver oil to our cities, electricity to our homes, water to our crops, products to our markets, money to our banks, and information to our minds. It allows us to share pictures, music, thoughts, and ideas with people we might meet infrequently in person but will intimately know from a distance. Everything is becoming “smarter” because software is being injected into just about every thing. Software has accelerated economic growth through the increased facilities of managing labor and capital with unprecedented capacity. Hundreds of thousands of people if not millions owe their livelihoods to software. With its aid, we have discovered new medicines, new oil fields, and new planets and it has given us new ways of visualizing old problems, thereby finding solutions we might never have had the capacity, time, or ability to discover without it. With software we are able to build bridges once thought impossible, create buildings once thought unrealistic, and explore regions of earth, space, and self once thought unreachable.
Software has also given us the Internet, a massive world-wide network connecting all to all. In fact, connectedness in the twenty-first century is primarily a manifestation of software. Software handles the protocols necessary for communication, operates telecommunications equipment, bundles data for transmission, and routes messages to far-flung destinations as well as giving function and feature to a dizzying array of devices. Software helps connect everything to everything else with the network—the Internet—merely a by-product of its function. Without software, the network would be just a bunch of cables, just as a human cell without DNA would be just a bunch of amino acids and proteins.
Software is everywhere; it is everywhere because software is the closest thing we have to a universal tool. It exhibits a radical malleability that allows us to do with it what we will. Software itself is nothing more than a set of commands that tells a computer processor (a microchip) what to do. Connect a microchip to a toy, and the toy becomes “smart;” connect a microchip to a car’s fuel injector, and the car becomes more fuel efficient; connect it to a phone, and the phone becomes indispensable in life’s everyday affairs. Connect a microchip to just about anything, and just about anything is possible because the software makes it so. Software is the ghost in the machine, the DNA of technology; it is what gives things the appearance of intelligence when none can possibly exist.
The only aspect of software more impressive than software itself is the people that create software. Computer programmers, also known as software developers or software engineers, write the instructions that tell computers what to do. Software developers are in large part a collection of extremely talented and gifted individuals whose capacity to envision and implement algorithms of extraordinary complexity and elegance gives us search engines, operating systems, word processors, instant messaging, mobile networks, satellite navigation, smart cars, advanced medical imaging; the list goes on. As such, software is a human creation, and as a human creation it is subject to the strengths and foibles of humanity. This is where the similarities of cement and software become most interesting.
Software, like cement before it, is becoming the foundation of civilization. Our very lives are becoming more dependent on and subject to software. As such, the properties of software matter greatly: quality, reliability, security, each by themselves accomplish very little, but their absence faults everything else. Like Portland cement, software can be unreliable if production processes vary even slightly. Whereas variations in kiln temperatures, mixture ratios, or grinding processes can detrimentally affect the strength and durability of Portland cement after it has been poured, there are a host of similar, seemingly trivial variations in producing software that can detrimentally affect its “strength” when “poured” into microchips. It is up to humans to get the production process right.
Unlike Portland cement, for more than 50 years software of all types and function has been continuously released into the stream of commerce, plagued by design and implementation defects that were largely detectable and preventable by manufacturers, but were not. This has and does result in catastrophic accidents, significant financial losses, and even death. The trepidation over insufficient software manufacturing practices extends back to the late 1960s when the North American Treaty Organization (NATO) convened a panel of 50 experts to address the “software crisis.” While the panel did not provide any direct solutions, the concept of a “software engineer” was developed as a means to more closely align software manufacturing with the engineering discipline rather than artistic creativity. The intent, as far as we can tell, was to remove the “rule of thumb” in the production of software and all the inconsistencies such approximation introduces. After 50 years, defining what actually constitutes the principles and practice of software engineering has not progressed far. What is clear, however, is that the unfortunate history of software blunders sullies the reputation of software in general and distorts the genius of software developers in particular.
Perhaps most frustrating is the inconsistent use of quality control measures by such a wide range of software manufacturers for such an extended period of time. Software is infinitely more complex than cement to be sure, but complexity does not entirely account for systemic, reoccurring software manufacturing defects. Quality control measures—even in the absence of a clear definition for software engineering—have been and are available specifically to address problems with software production.
Software has its own modern-day equivalent of Joseph Bazalgette: his name is Watts Humphrey. Humphrey is a fellow and research scientist at Carnegie Mellon University’s Software Engineering Institute (SEI) and is often called the “father of software quality” having developed numerous methodologies since the 1980s for designing quality and reliability into software products. In 2005, President George W. Bush awarded Mr. Humphrey the National Medal of Technology, the highest honor for innovation in the United States. The only problem in this story is that a significant portion of software manufacturers around the world still largely ignore or only superficially implement Humphrey’s guidance. As a result, the Software Engineering Institute noted at the beginning of the twenty-first century that software was getting worse, not better. Such a proclamation augurs ill for civilization’s newest foundation.
But if software quality were the only issue, perhaps we could discount the problem of low-quality software simply on the basis of “growing pains.” After all, at 50 years old, some might argue software is still a relatively new phenomenon and that such failures in quality are understandable and even tolerable for such a young technology. When civil engineering was 50 years old, for instance, the brick had not even been invented yet.9
Yet when civil engineering was 50 years old, the profession was not building and connecting global infrastructure. Software’s newness has not precluded it from being injected into nearly every aspect of modern civilization. That software connects everything to everything else magnifies even the smallest foibles in software production. This introduces a critical aspect of software vastly different from weaknesses in traditional building materials: once interconnected, even the smallest piece of insecure software may have global consequences. New or not, software needs to be worthy of its place.
Weaknesses or defects in software can not only result in a given software application failing for one reason or another (including no reason), but software defects can potentially be exploited by hackers, who, discovering or knowing the weakness exists, may use it to surreptitiously access and control a system from a continent away, stealing sensitive personal information such as credit cards or social security numbers or absconding with trade secrets or intellectual property. Such weaknesses could also be used to hijack computer systems and then turn those systems against their owners or against other nations and other peoples. In the end, insecure software is right now resulting in economic and social costs that are now well into billions of dollars per year with no sign of abatement. The trend is disturbing.
Understanding why this situation persists and seems to be only getting worse has important implications for modern civilization. In other words, new or not, society inevitably demands any technology used in the foundation of civilization, whether cement or software, should be given the time and attention foundations deserve. Bazalgette and his legacy expected no less; nor should we.