In November 1988, the Morris worm—an experimental computer program written by a curious graduate student—unintentionally crippled the early Internet and exposed for the first time the serious consequences of poorly designed software. Nearly 40 years later, the world still runs on fragile code riddled with the same kinds of flaws and defects. Amid frequent news reports about hacks and leaks, a key truth is often overlooked: the United States does not have a cybersecurity problem. It has a software quality problem. The multibillion-dollar cybersecurity industry largely exists to compensate for insecure software.

The impact of persistent weaknesses in U.S. software is playing out in real time. Since at least 2021, for instance, hackers connected to China’s Ministry of State Security and People’s Liberation Army have exploited the same types of flaws that the Morris Worm feasted on decades ago. These groups—referred to as Salt Typhoon and Volt Typhoon—have taken advantage of unpatched systems, poorly secured routers, and devices built for connectivity rather than resilience to infiltrate telecommunications networks, transportation systems, and power utilities. And just this year, Russian Federal Security Service hackers exploited an unpatched flaw in networking devices to compromise thousands of routers and switches connected to U.S. infrastructure. As more institutions, from hospitals to ports, rely on software to function, unsafe code is a growing threat to the United States.

These vulnerabilities endure because software vendors face few incentives to prioritize security. It remains cheaper and faster to shift the costs of insecurity downstream to customers. And because much of the code that underpins critical infrastructure is decades old, rewriting it securely has long been too expensive and time-consuming to make business sense.

But capabilities—including the accelerating power of artificial intelligence—are emerging to fix these software problems across entire digital ecosystems. This could spell the end of cybersecurity as we currently know it—and make the United States much less vulnerable as a result. But the window to take advantage of new technology is closing as U.S. adversaries, too, are looking to use AI to enhance their cyberattack capabilities. Now is the time for U.S. government agencies, large companies, and investors to work together to fundamentally shift economic incentives and use AI to improve the United States’ digital defenses. Cyberspace will never be completely safe. But the cybersecurity market as it currently exists does not have to be a permanent feature of the digital age. A better and more secure approach to software is within reach.

In the popular narrative, hackers—whether they are individual rogue actors, state-sponsored groups, or teams backed by criminal syndicates—are mysterious and clever, deviously exploiting careless employees and misconfigured servers. But most intrusions do not succeed because attackers wield exotic cyberweapons. They succeed because widely deployed technology products are installed with well-known and preventable defects.

The core issue is economic, not technological. Most buyers have no practical way to judge whether the software they purchase is secure. They must take vendors at their word, which creates little incentive for the designers or sellers of software to invest in protections that customers cannot see or measure. As a result, software vendors compete on aspects that are more obvious to buyers: lower prices, getting their products to market first, and convenient functionalities such as one-click integrations with other systems or easy remote access. But focusing on these features often comes at the expense of adequate safeguards against cyberthreats. Market forces simply do not incentivize prioritizing security in the design process.

This has led to the rise of the cybersecurity aftermarket—a sprawling ecosystem of antivirus systems, detection capabilities, firewalls, and much more—which essentially provides bolt-on solutions to address software insecurities. And although the cybersecurity industry has evolved into an impressive community of talented innovators, its interventions are necessarily rearguard actions. Cybersecurity systems limit the damage of malware that should never have been able to spread, clean up breaches that should never have occurred, and fix flaws that should never have existed.

Software companies also deprioritize security in their product design because they are rarely held liable for security failures. In the United States, there is no enforceable baseline standard for what security protections software must have, nor are there penalties for insecure software, essentially making unsafe design a rational business choice. When catastrophic breaches occur, software companies create patches........

© Foreign Affairs