On a day when The New York Times has a story criticizing the federal government's technology procurement process as outdated, and The Washington Post has a story pointing out that the firm principally responsible for the Obamacare website had corporate ties to a company responsible for a number of recent failed government tech projects, it's interesting to read this and realize that tech complacency in America is hardly limited to the public sector:
Weak U.S. card security made Target a juicy targetThe right thinks that capitalism has miracle self-healing properties -- marketplace competition ensures that all problems will be solved, either by hungry competitors doing a better job or by established companies working harder and harder to stave off those competitors. But capitalism often doesn't work that way. When it came to the Obama website, the Post story says that bidding was limited to a few companies on a Bush-era list. The Times story says the government favors "multinational companies with large legal teams" over nimbler upstarts, and projects are run in ways that are old-fashioned and inflexible. Well, the credit-card industry also seems to be dominated by a handful of established companies that are too huge to have to worry about competition from upstarts. And credit card processing seems to be done the way it's done because it's always been done that way.
The U.S. is the juiciest target for hackers hunting credit card information....
That's in part because U.S. credit and debit cards rely on an easy-to-copy magnetic strip on the back of the card, which stores account information using the same technology as cassette tapes.
"We are using 20th century cards against 21st century hackers," says Mallory Duncan, general counsel at the National Retail Federation....
In most countries outside the U.S., people carry cards that use digital chips to hold account information. The chip generates a unique code every time it's used. That makes the cards more difficult for criminals to replicate. So difficult that they generally don't bother.
"The U.S. is the top victim location for card counterfeit attacks like this," says Jason Oxman, chief executive of the Electronic Transactions Association.
And if you think there's been a lot of finger-pointing and responsibility-shirking with regard to Healthcare.gov, well, the same goes for credit cards:
... Companies haven't enhanced security so far because it can be expensive. And while global credit and debit card fraud hit a record $11.27 billion last year, those costs accounted for just 5.2 cents of every $100 in transactions, according to the Nilson Report, which tracks global payments.In both the private sector and government contracting, it's easy to make big bucks just by protecting your status as an established mega-player. The banks and credit card companies are established, fat, and happy: they've have been around forever, and they don't lose enough money from fraud to care very much about it. In contracting, please note that CGI, the main Healthcare.gov contractor, got to be a major player in government tech projects after it bought American Management Systems a now-troubled company founded in 1970 by former "whiz kids" who worked under Robert McNamara at the Defense Department in the Kennedy/Johnson years. You can't get much more established -- or Establishment -- than that.
Another problem: retailers, banks and credit card companies each want someone else to foot most of the bill. Card companies want stores to pay to better protect their internal systems. Stores want cards companies to issue more sophisticated cards. Banks want to preserve the profits they get from older processing systems.
A lot of aspects of America are aging, embedded, and sclerotic. Complacency is widespread, as is an "We've got ours, who cares about you" attitude. Government doesn't have a monopoly on this. And capitalism is not the cure-all.