Recently, I was consulting on the development of cyber strategies that would lead the way in developing guidance on this rapidly emerging threat.
The objective of this work was to articulate new cyber concepts, doctrine, strategies and technology solutions. While using scenario-based intelligence analysis and trans-disciplinary intelligence engineering to advance current corpus of knowledge to apply toward the development of cyber attack strategies that manage this emerging risk and several interesting observations were made. A review intelligence surrounding the cyber attackers Modus Operandi (MO) lead to an interesting question
The question was: What liability should hardware and software vendors bare for vulnerabilities in their products
Our discussions brought up the legal aspect of this issue in the context of product liability. Product liability is the area of law in which manufacturers, distributors, suppliers, retailers and others who make products available to the public are held responsible for the harm those products cause.
The claims most commonly associated with product liability are that of negligence, strict liability and breach of warranty. A product’s liability claim is usually based on one or more of the following causes of action.
- Design Defects
- Manufacturing Defects
- Failure to Warn
A software vulnerability would clearly fall under the product defect cause of action
In the mid year report by IBM X-Force it stated that the overall number of vulnerabilities continued to rise as did the overall percentage of high risk vulnerabilities. Approximately 3500 software vulnerabilities were announced in the first six months of 2008 and on track to exceed the total number reported in 2007.
Given our critical infrastructure, our national security and our economy is dependent on generally available hardware and software.
Take the poll below to tell us what you think: Should hardware and software vendors be held accountable for flaws in their products that are exploited and used to gain access to and exploit the system?
[EDITOR: First answer should read software AND hardware…]
{ 7 comments… read them below or add one }
MIT Technology Review discussed this issue last year, although with a different slant:
http://www.technologyreview.com/computing/12887
Although everyone loves throwing the words “cyber” around, I think this is essentially just a basic security issue. If you throw enough time and resources at something it can be made relatively secure, but in doing so you might make it so hard to use that it isn’t even worth using. Eventually it’ll be nice and secure, but unusable; or the development will take so long we’re a full generation behind.
The AF has had problems “securing” our nuclear weapons, what level of security do you expect from the private sector? When you consider a basic service outage as a cyber attack, then you have to remember that any yahoo can walk over to a manhole cover somewhere and simply cut the wires.
Yeah, more lawsuits are ALWAYS the answer. Have you considered that maybe a vulnerability (oh, sorry, a “cyber” vulnerability) may be (cyber)fixed faster if that (cyber)company isn’t also tied up in court?
Is this supposed to be some kind of fear tactic?
Mac
Dream on Alice (Mac) – the software industry has not fixed the problem in two decades so why would anyone think they will without the threat of litigation.
Not only that , but they have demonstrated their mindset by not disclosing know vulnerabilities to officials time and time again. Not only that but in some cases they take years to fix the bugs.
Wonderland with fewer or no software vulnerabilities is right around the corner!
The case would not be parallel to some one building you a fence but leaving a hole in it that the bad guy got through. That would imply some one knows how to make a perfect fence that can’t be breached.
It is more like some one built you a fence, which is a great fence. But some bad guy made himself a pole vault and took advantage of the fence’s natural vulnerabilities.
It would be outrageous to hold a company liable for the cleverness of a separate party.
Obviously it depends upon the vulnerability in question. Like any products liability case, it will turn upon 1) what the company knew, 2) what the product could reasonably be expected to do, and 3) the nature of the failure.
There is a big difference between a hacker busting through a well designed system and a company knowingly putting out an OS that had massive security flaws.
Liability to the purchaser for defective software and hardware is almost universally limited by contract to the purchase price. And, in cases of solely economic or intangible injury, those waivers are almost always upheld.
Third parties could have a claim, but very often, in instances when military software and hardware harm third parties, the users are entitled to governmental immunity, and this immunity often extends to the harm caused by products used by the military. There are specific exceptions where unintentional injuries caused by government action may be a basis for a lawsuit, set forth in the Federal Tort Claims Act (for federal government employees including soldiers), despite governmental immunity, but those are quite narrow (car accidents, slip and fall, etc.). It is very hard to make out a novel claim under the FTCA.
The moral or “should” argument is closely intertwined with the “duty to warn” issue. If it is widely known and expected that software has siginficant security flaws, then it is unreasonable to expect it to be cyber attack proof and the appropriate solution may be to keep sensitive materials off line, or at least disconnected from wide area networks, so that foreseeable harm can be prevented.
From a law and economics perspective, the theory says that responsibility should be placed on the person who can prevent the harm at the lowest cost. If chosing a Mac or Linux system over one made by Microsoft at a modest cost, for example, perhaps the best solution is for the people who have sensitive systems to avoid using Microsoft products. The utter inabilty of Microsoft and a number of other vendors to make secure software, despite vast resources and potential marketing benefits associated with doing so, strongly implies that it is very costly or even impossible to make their products both publicly useful and secure.