Flash is finally dying at the end of this year, and it will not be missed.
Let me be direct: We should be happy that this software, one of the worst ever to plague our lives from a security perspective, is going away, and at the same time, Flash was not a fluke. Security has come a long way, but the ecosystem that allowed Flash to become a software security serial killer still exists and is ready to let it happen again. This time, the stakes are infinitely higher.
Everyone Knew Flash Was Bad
As they promised way back in July 2017, Adobe will stop distributing, updating, or issuing patches for Flash Player after Dec. 31. Across a seven-year rampage from 2010 to 2017, Flash affected 1 billion users, dishing up more than 1,500 critical vulnerabilities — peaking with nearly one new vulnerability reported every day in 2015. Flash continued to grow despite very vocal, very prominent critics. Grassroots movements like Occupy Flash were founded, and major players like Facebook and Mozilla called to retire Flash.
One towering figure in particular, Steve Jobs, took a major aim at Flash. He had a complicated relationship with the software, initially embracing it, then becoming its biggest critic. In an infamous open letter, “Thoughts on Flash,” in 2010, Jobs outlined his decision to ban Flash from iOS devices. In the letter, Jobs pointed out how Symantec had condemned Flash for having an abysmal security track record.
By and large, everyone seemed to understand that Flash was a Big Problem. Yet Adobe faced no true downside from the havoc it wrought. There were no government fines, no lost future business — no real consequences at all. But the businesses that fell victim to Flash’s security vulnerabilities suffered. And they still suffer.
Consider this: We’re now close to the end of Flash, and 2.5% of Internet users still use it every day. From top tech execs to thousands of developers and engineers to hundreds of thousands of consumers, most are very aware in 2020 of how bad Flash is, yet some won’t begin their Flash detox until its dying day.
In the end, Flash gets to retire gracefully when it should have been aggressively put to pasture years ago.
What Went Wrong?
In the early days of software, there was a lot to gain from releasing quickly and cheaply and very little downside. Cybercrime was not a real threat. Software terms and conditions established that publishers could release untested software because it worked mostof the time. Nobody gave much thought to liability over software failings. Updates and patches were promised and provided, yes, but nobody was held accountable to make sure they were installed properly, on time, or at all.
This worked really well for a very long time and supported incredible rates of technology innovation. Today however, software is more mature. The gains from new releases are small, yet cyberattacks are the most colossal risk to businesses. Software controls every part of a business, and holding it for ransom has become immensely valuable for criminals.
In other words, the precedent set long ago that allows vendors to release compromised software into the world with impunity is a major crack in the digital economy’s foundation.
We Aren’t Safe From Software Security Serial Killers
Flash caused an onslaught of damage even limited to only one technology platform: Web browsing. Today, more businesses are online with more platforms and more devices. All of these systems are connected and often interdependent. The entirety of business today is online and digital — from financials to enterprise resource planning to customer relationship management. When everything is digital data, everything is at risk. As the complexity of software environments continues to grow, it becomes more difficult to prevent cyber-risk. And it doesn’t help when the underlying software you buy becomes the Trojan horse.
None of this is theoretical. We know what happened with Flash and why. And yet creators continue to put software serial killers on the market and continue to avoid any significant consequences. Software companies aren’t incentivized to protect their customers, whether the customer is a business or an individual. Why are we allowing this to happen? Clearly, everyone knows they have issues. Yet we continue to accept this as the way things are.
We should be outraged by software vendors’ lack of action. More than that; we should be outraged that we have enabled them, just as we did Flash, for years and years.
Flash is nearly dead and good riddance, but at what cost to privacy and economic interests? Flash will live on in the terrible security precedent it helped perpetuate. And if we want to avoid another 10,000 Flashes, we cannot be complacent; we must acknowledge that we are complicit in the perpetuation of business-killing risk. Our decisions about which software to buy, which security settings to accept, and which upkeep to ignore make us complicit. We must demand better from those who have the power to determine our technological fates. And we must make better decisions about how we protect ourselves.
Rotem Iram is the Founder and CEO of cyber insurance company At-Bay. With nearly two decades of security and engineering experience, he previously served as a Managing Director and COO in the Cyber Security practice of K2 Intelligence, a leading global risk management firm, … View Full Bio