I don’t really hold with conspiracy theories. Much more often than not you’ll find that underneath the surface is a large slice of misinformation, serendipity, and incompetence. So I was not surprised to read this article from Wired on the situation at Huawei:
https://www.wired.com/story/huawei-threat-isnt-backdoors-its-bugs/
From my experience of many years working in software development and delivery, this has more than a ring of truth about it. Like most aging software engineers, I spent a great deal of my youth studying Winston Royce, Mary Shaw, Watts Humphrey, Fred Brooks, Capers Jones, Barry Boehm, Dave Parnas, Grady Booch, Ivar Jacobson, Jim Rumbaugh, Philippe Kruchten, and many other. These were the people who built a new discipline of software engineering from the 1960’s through to the start of the 21st Century. They inspired and supported a generation of software developers….and it was my pleasure to have worked directly with the majority of them.
Let’s go back to a few basics. What we learned from their work is important and must not be forgotten. A few highlights:
- The industry average is between 15-50 bugs per thousand lines of code delivered. Given that a modern car may have upwards of 30 million lines of code deployed in it, you can work out the challenge for yourself.
- An enterprise software application brings with it an average of over $1M in technical debt to manage, support, upgrade, and replace it.
- Up to 75% of large software projects fail to complete, and the cost of these failed projects in the US alone is thought to be over $75B.
These figures and their underlying causes have not shifted significantly for the last 50 years. In fact, in spite of new software testing approaches, companies such as Apple have admitted that the quality of their released software is actually declining. The implications of this are severe. The digital world is driven by software. Lots of it. And much more is yet to be written. It needs to be written quickly, it needs to work, and it needs to be adaptable, upgradeable, and replaceable. And right now the bar is way too low.
The critical point being made in the Wired article is that the fear and complaints being levelled at Huawei hide a more fundamental concern about how difficult it is to understand and vet the commercially-produced software that is providing the fabric of our lives. And the article even makes a semi-serious comment that there is benefit to buggy software in that it obscures nefarious commercial motives.
One answer, of course, it use open source software that is produced by the community, in the community, and for the community good. I am big supporter of open source software, and more broadly the use of open licences and techniques for software development and delivery (see, for example, the paper I co-authored on this topic with Grady Booch many moons ago!). Use of Open Source is significant and growing. But the only viable future involves large amounts of commercially-produced software embedded in the infrastructure of the digital economy.
We must do better. Much more focus is needed on improving software quality. All organizations have an obligation to create and use software that has been designed with high quality as a core objective, and can more easily be verified that it maintains that objective over its lifetime by outside organizations. I strongly believe that means going back to the works of the pioneers of that craft to re-learn some fundamental software engineering principles. Perhaps it’s time to dust off those old textbooks.