Published: 2008
Publisher: Addison-Wesly
ISBN: 0-321-47789-8
Full disclosure: I am a software developer that is generally a free-market conservative. David Rice writes as though software developers are incompetantly nefarious drolls who have created a market failure that requires heavy government intervention to protect the masses. If that sounds like "over the top" rhetoric, wait until you read his book. Peppering his prose with emotionally charged language like "sad irony", "public ignorance" and "shockingly", and of course his most quoted phrase "six billion crash test dummies", David Rice leaves the reader with the feeling they have just read the latest in best selling "pop-business".
The Foundation of Civilization
The book starts with a captivating look at the beginnings of the use of Portland cement. In the mid-1800's an engineer named Joseph Bazalgette, was commissioned to rebuild the London sewer system. He selected the relatively new Portland cement formula as his primary building material. In order to ensure quality construction, Bazalgette instituted a regimen of testing and rigorous quality controls that helped ensure that his project was a long-lasting success.
From here, Rice draws an analogy between the pervasiveness of Portland cement in today's physical world, and the pervasiveness of software in today's virtual world. The major premise of Rice's book is that software is the underpinning of modern society and that it is inherently weak. He believes that this weakness is detrimental to humanity and that the market has failed to correct the problem.
To be fair, I agree with Rice that software development as a profession has some very serious problems. At the same time, it is an incredibly young profession and to claim that it is in as poor a state as Rice claims is a bit presumptious and premature. I believe the market should be given a chance to calm some of the troubled waters before taking some of the more drastic measures proposed in this book.
Cost of Switching
One of the problems that the software market faces is the consumers choice of features over quality. This choice is, I believe, due to assymetric information. Consumers believe that higher prices in software are due primarily to adding new features. This leads to the assumption that if you are going to pay a lot for something, you better get a lot of features! Software developers however realize that adding new features is not as costly as increasing the overall quality of the application.
On this much, I believe, Rice and I agree. Rice's solution however is to call this a market failure. He believes that people would not pay for quality even if they knew how much it cost. I tend to trust people more than that. I believe that if the average consumer understood that the higher quality software with a smaller feature set really was a good value, they would make the appropriate choice for their situation.
This is an important distinction. I believe consumers should be able to choose poor quality if they want, as long as they understand what is meant by quality. To draw an analogy (one that Rice uses in his book), look at automobiles. There is a broad continuum of quality when it comes time to purchase a new car. Quality in vehicles can mean anything from softer seats to a higher crash test rating. It is up to the consumer to decide what kind of quality is important if any.
Rice argues that if the government had not stepped in back in the 60's, automobile manufacturers would still be creating the same quality vehicles with regard to crash safety. I am not entirely certain this is true. He points to the 5 star Safety Rating System as being a shining example of government intervention to induce better safety. Truthfully I don't know that I have ever actually known the Safety Rating of any of the vehicles I have bought and of the dozens of car commercials I have seen that claimed one, I couldn't tell you which ones had what ratings. I don't believe the 5 Star Rating System communicates anything to consumes about the quality of the vehicles.
I can tell you however that I have the perception that certain vehicles are "safer". For instance my personal feeling (without doing any research) is that probably Volvo and Mercedes are some of the safer vehicles to buy. However, I don't own either of these vehicles, nor have I ever. Because I don't value "crash safety" as much as I do other kinds of quality.
The same situation will apply eventually in the software world. At some point, consumers are going to realize that while Software A might have pretty charts and graphs, they really don't need them. Instead what they need is Software B, which while lacking the needless charts and graphs, does include built-in encryption of sensitive business data.
David Rice would like for all software to have all the highest quality. I would like for consumers to be able to tell the difference and be educated to make the correct choice for their situation. I trust the consumer, Rice doesn't trust the market.
National Security
Not to belabor the point, but an example of David Rice's wild rhetoric was in his section on Information Warfare. He talks in some detail about the efforts of nation-states to infiltrate each other's information systems in order to gain strategic, and possibly tactical advantages in the event of a more traditional war breaking out. He makes the following statement:
"This is what makes the growth of Information Warfare so disturbing-- nations sanctioning activities its own laws clearly criminalize."
My response to this was "duh!" What do you think spying as an entire class of activities is? If you conscientiously object to the art of spying, I can sympathize if not agree with you. But to act as though Information Warfare is a brand new set of sanctioned "activities [that we] criminalize" is a bit naive.
Government Is the Answer
If we were to agree that software as a market has failed, then what is the solution? A large portion of Rice's solution seems to lie in the seeking of relief in the courts. Given the apparently liberal bias of the author, it is not surprising that he argues against contractual protection for both consumers and producers, but argues instead for relief in tort. I personally find it absurd to think that the tort system is a more efficient leveler than the market, but the author seems to think it is plausible.
Towards the end of the book Rice draws a relation between regulating software development and regulating carbon emissions. I found it somewhat ironic that he would choose such a controversial model. There is considerable disagreement in the science world about the exact nature of the problem with carbon emissions, much less what the right solution is. Similarly, there is quite a bit of skepticism about the nature of the problem in software development. I am not sure it is a good idea to throw solutions against the wall to see which one sticks.
Sloppy Programmers are the Problem
I was not a software developer by profession prior to 2000 so I did not personally take offense to Rice's characterization of the Y2K problem, but I found it lacking insight. Rice blames the Y2K problem on "sloppy programmers" who "forgot" 2 decimal on their dates. This shows either a blatant disregard for reality or a serious lack of understanding of the history of the software profession. Rice is supposed to be an expert in the field so I will chalk this up to a blatant disregard for reality in order to prove his point.
Programmers did not "forget" to put the first 2 digits on the year. The practice of using 2 digit years actually predates computer programming by quite a bit. But using only 2 digits was very important in the 60's and even into the 80's. Storage space, both memory and long term disk storage was extremely expensive. With today's technology it is difficult to imagine a time when saving 2 digits was important, however the fact remains, prior to the 80's it was incredibly important.
The Real Cost of Insecure Software
The sub-title of Rice's book is "The Real Cost of Insecure Software". He labors throughout the book to argue that the cost has been passed on to the consumer but should be assumed by the producers of software. Of course he understands that in doing so, the producers will pass the cost of writing "secure" software on to the consumer. He is correct in pointing out that this is not a zero-sum game. Placing the cost in the right place is an important thing for the efficiency of both the market and the consumers who run their business with the software.
What alarms me is one of Rice's arguments. He explores the possibility of two software companies, one a "socially responsible one" that writes good software that costs $100. Another one is apparently socially irresponsible and creates bad software for only $50. How, Rice asks, is the socially responsible company supposed to compete?
My immediate response would be to let the market decide. Consumers will eventually figure out which one delivers the most value.
The bigger question I have is this: Does Rice really think that the world can afford a doubling of the cost of software? Imagine every piece of software you own, from your operating system down to your photo editing software, doubling in price. Now imagine every business that is running software doubling their cost of software. Now imagine if those costs are passed on to you the consumer. In spite of Rice's alarmist rhetoric, I don't believe the world needs to spend twice as much on software in order to fix the problem.
Conclusion
Obviously I am not a big fan of David Rice after reading this book. He is a reasonably good writer who did quite a bit of research. Unfortunately he allowed his research to be tainted by a bias toward the extraordinary. I am sure this bias helped sell books... after all people would rather read about the world ending than about the slow and steady progress of humanity. That said, I think anyone in the software professions needs to read this book.