Every couple years somebody comes up with the idea, “Hey! let’s
license software engineers!” Committees are formed, standards drawn
up, and papers smoothed out by waiting bureaucrats–and then
everything falls apart and the software profession returns to the
status quo, because everybody realizes the plan just isn’t feasible.
I’ve been following this cycle for years, and even parodied it in the
of my story
Code the Obscure.
But the most recent wave of calls for licensing are getting
serious. The drive this time comes from the national security
kick. Computer systems are vulnerable because of bugs, and bugs are
human failings caused by programmers, so–the reasoning is hard to
fight–let’s ensure we have good programmers through licensing.
Licensing for software engineers is no longer an arcane topic to be
considered by the existing and aspiring members of a single field.
Once you license programmers and other computer professionals, you
open the door to making their employers liable for their work.
And the converse is also true: when you demand that government “should
pass a law…Make companies liable for insecurities” as leading
security expert Bruce Schneier does in his most recent
Crypto-Gram Newsletter of October 15,
you inevitably force those companies to set standards for their
employees. And the whole set of questions ties directly into our
national security debate.
No wonder calls for licensing and liability have been
getting louder. The only political arguments that seemed
to be aired against the trend represent the free-market
attitude, “Government shouldn’t get involved in business
matters,” which is no argument at all so far as I’m
The unanimity of experts on this topic has made me reluctant to share
my own point of view; I did not even circulate my recent article
The National Strategy to Secure Cyberspace: a Sober Cyberassessment
very widely. But I have felt pushed to speak out since reading the
November 2002 issue of the Communications of the ACM,
published by the
Association for Computing Machinery,
one of the oldest and most important organizations in computing.
This issue of their journal take up the topic of licensing (by no
means for the first time) and offers a number of perspectives. And
once again, the ACM and its guest authors come down overwhelming
against licensing. Only one article, by the renowned David Parnas,
offered firm support. The other points of view expressed ranged from a
wavering “Well, they’ve started licensing software engineers in Texas
and it hasn’t hurt anybody yet” to an extreme suggested by the title
“Software engineering considered harmful.” While I think the title of
that article is misleading, the author does essentially convey the
idea that the term “software engineering” is an oxymoron.
(I should point out that licensing is different from
certification. Licensing is backed by government requirements and
forms a legal requirement to practicing one’s profession.
Certification is much less intrusive, being just a statement by some
organization that you have mastered certain material, such as Windows
The software profession’s repeated refusals to countenance licensing
are impressive, because pragmatic circumstances pressure the leaders
of every profession toward licensing.
By licensing you reassure your customers of your competence. To take a
more cynical point of view, licensing creates a barrier to entry that
restricts the number of practitioners in a field and consequently
raises the salaries of those who cross the barrier. And one mustn’t
leave out the attractiveness of the mystification factor! (”We can’t
challenge what she tells us; she’s a licensed software engineer.”)
Admittedly, as one article in the ACM journal points out, there are
also disincentives to licensing. Licensing gives customers and others
a hook on which to hang lawsuits and the types of regulation called
for by Schneier and others. But these pressures exist anyway;
licensing could equally function as a way to stave them off.
The continuing evolution of the software field, which makes licensing
untenable, also dooms attempts to make companies liable for software
flaws. The problems faced are stated in my earlier-cited
But unfortunately, the state of the fifty-year-old software field is
nowhere near mature enough that we can justly hold programmers
responsible for bugs. While we have made progress in many areas–for
instance, we have programming languages that rule out the dreaded
buffer overflows responsible for most security flaws–we are always
running behind. This is because new programming techniques keep being
invented (for instance, popular languages like ASP and PHP for
building dynamic Web pages) and we cannot anticipate their security
Liability for software bugs would fall particularly hard on
the field of free and open source software, which ironically provides
the most robust and secure products.
The proposal for certifying security professionals may also be
misguided. Certain basic habits of good security can be delineated,
but I don’t know how well they can be formally taught or tested. The
particular vulnerabilities and attacks change so frequently that no
certification can ensure public preparedness.
My article does not rule out ratings by insurance companies
to enforce best practices, or holding companies liable
for egregious, deliberate negligence.
The particular issue of free software has also come up in
the licensing debate around
I highly respect the people who yearn for liability, but I
challenge them to come up with a concrete proposal for such a law that
would actually work and be fair. All I’ve seen so
far are vague demands and a lot of righteous indignation. I think the
debate should continue, because I’d like to find a solution–we just
have to look realistically at the state of software and think ahead to
the consequences of legal action.
Would licensing or liability be helpful?