Biden's cybersecurity strategy raises questions of liability

Gettyimages.com/ d3sign

By Rik Ferguson,
VP, security intelligence, Forescout

By Rik Ferguson

|

The shift of responsibility to software vendors in the National Cybersecurity Strategy should have all of industry asking questions.

When the Biden-Harris administration announced their new National Cybersecurity Strategy on March 2, it introduced five distinct pillars: 1) Defend Critical Infrastructure, 2) Disrupt and Dismantle Threat Actors, 3) Shape Market Forces to Drive Security and Resilience, 4) Invest in a Resilient Future, and 5) Forge International Partnerships to Pursue Shared Goals.

Arguably the most innocuous sounding of these five could prove to be the most contentious; pillar three sets out the strategic objective (3.3) to “shift liability for insecure software products and services.” This would entail, among other things, legislation that will establish liability (of manufacturers and software publishers) for insecure or vulnerable products and services. The requirement could also be seen as work to support and extend the “Securing Open Source Software Act of 2022” which is still undergoing committee scrutiny.

Shifting Responsibility from Buyers to Vendors

While the aim of moving the burden from those least capable of effecting change (the customer) to those most capable (the vendor) seems worthwhile at first glance, there are potential pitfalls that must be very carefully considered. Should software vendors be liable for vulnerabilities in the products they sell?  Are they already liable to some degree, or would new legislation be required in order to make it so?

In almost every case, the end-user license agreement for software products will reveal a host of exculpatory clauses, exonerating the vendor of responsibility for any kind of direct, indirect, consequential (and just about every other applicable adjective) damages “whatsoever” that may arise from the installation or use of (or inability to use) the software product. Is this reasonable or indeed fair?

Software products are not a tangible asset and as such escape much of the legislation that applies to the sale of goods and their fitness for purpose. However, a huge number of successful compromises of systems and enterprises arise from the exploitation of a vulnerability or flaw in an application or operating system, or a weak default configuration, and often results in direct data loss and its associated consequences such as exposure of intellectual property or personal identifiable information, brand damage, and financial loss.

Assessing the Impact of Liability

At first glance the case for enforcing some kind of liability on vendors seems obvious. Make the vendor legally responsible for the quality of their product and thus increase their focus on secure code development and maintenance. Lower the number of vulnerabilities in published products and create an ecosystem where vendors routinely produce more robust software. The idea is not a new one. Indeed, in the United Kingdom all the way back in 2007, a House of Lords Science and Technology Committee report on personal internet security reached the following conclusion (8.15):

“We therefore recommend that the Government explore, at European level, the introduction of the principle of vendor liability within the IT industry. In the short term we recommend that such liability should be imposed on vendors (that is, software and hardware manufacturers), notwithstanding end user licensing agreements, in circumstances where negligence can be demonstrated. In the longer term, as the industry matures, a comprehensive framework of vendor liability and consumer protection should be introduced.”

Similar calls have been echoed by such luminaries as Bruce Schneier and the European Commission. But what would be the consequences and does adequate cover exist already?

The first and most obvious is that it may well increase the cost of developing software. It is impossible to create invulnerable code, so vendors would be obliged to take out unlimited liability insurance contracts against the inevitable stream of lawsuits (the cost of this being passed on to the customer).

This level of liability could effectively sound the death-knell for free and open-source software (FOSS), much of which forms the basic underpinning of today’s web-based services (for both public and private sectors) as well as the security of our communications – Particularly when the temptation might exist for companies to skimp on even the most basic of security practices, passing the buck to the software vendor when a breach occurs.

Patching Vulnerabilities is a Grey Area

Another unintended consequence could be equally costly for the buyer. What happens when the vendor releases an updated product addressing identified flaws with an earlier version? Would cover cease for the now legacy versions, obliging customers to commit to expensive and perhaps unnecessary upgrades to continue to benefit from their newfound legal protection? Where do we truly stand right now? Are those end-user license agreements worth the bits they’re written on? Is new legislation required or even worthwhile?

In the traditional defense of the ignorant, “I Am Not A Lawyer!” So, I’ll defer to the opinion of a colleague who says: “if a software vendor negligently exposes its software to vulnerabilities, in particular because of defects in the software or non-compliance with best practices, under current law it can be held liable for all consequences arising therefrom. Exculpatory clauses in end-user license agreements can limit liability but the validity of such clauses have to be examined on a case-by-case basis.”

Bear this in mind though: the vast majority of breaches involving vulnerabilities are the result of the exploitation of those for which a patch has already been released by the vendor. Even with a physical good such as a car, the vendor is not required to fix the (potentially life-endangering) fault, only to issue a recall and make the necessary changes. Is it really so different, and if you don’t respond to the recall notice, or install the patch, where should the liability lie in those cases?

NEXT STORY: Why the Fed 100 should make us all optimists

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.