Or maybe it's time to turn software engineering into an actual engineering profession. If the people responsible for designing and maintaining the AT&T system were "real" engineers, they could be sued for malpractice or even lose their license to practice.

The root cause is not whether engineers are licensed (I'm fine with that idea, but it's not going to resolve this specific problem). Instead, it is a culture of not caring about security because the fines are a cost of doing business is, and which comes from management, and treating personal information as an asset instead of a liability.

A Sarbanes-Oxley style law that makes the CEO personally criminally responsible for breaches will be vastly more effective than pursuing individual engineers - many of whom will be on the types of visa where they have no effective route of pushback on orders anyway.

When a doctor is negligent, their employer is often also sued if it can be shown that it knew shenanigans were underway and did nothing.

We shouldn't choose between holding engineers or executives responsible. Each should be held responsible for their part.

Indeed - but we should start at the place likely to actually make a difference: the executives.

Snowflake still works though. What civil engineer has been sued because somebody jumped off their bridge? You get sued when the bridge collapses not when somebody uses it for an unintended action.

Do you really think that requiring 4-year degrees and passing a licensing exam would make a big difference? The fact is that, outside of civil engineering which involves a lot of dealing with regulatory agencies, most engineers in the US don't have PEs. I started on the path to get one because, had I stayed on my initial career path, I'd have been sending blueprints etc. to regulatory agencies but I ended up changing careers.

No, what will make the difference is being personally liable for the vulnerabilities you introduce.

Not the company. You.

How many individual engineers do you suppose get prosecuted for making errors--even careless ones? I'm guessing very few in the West. And I'm not even sure lopping off a head here and there to encourage the others is even a good idea.

> How many individual engineers do you suppose get prosecuted for making errors--even careless ones?

Not many but is that because they don't get sued or because professionals who face consequences for negligence make fewer stupid decisions?

I would assume that engineers, at least in the US, are far more concerned about getting fired/eased out than prosecuted if they do stupid things given that companies can do so pretty easily.

Would you say the same is true for a lawyer? Are they more worried about being fired from a law firm than being sued for malpractice and being disbarred? If not, why would engineers be different?

I would assume that being disbarred has a pretty high standard of misconduct as opposed to simply not making partner or whatever level of action makes maintaining employment at a large law firm practical.

Look at Sarbanes-Oxley for precedent. Management has to be made liable for sufficient cultural shift to occur.

Class-action suit sounds reasonable, but sadly those never give penalties in right ballpark. Here it should be hundreds to thousands at least per affected customer.

But my guess it is few tens of cents, if that... While lawyer will get nice couple million pop...