http://defensetech.org/2008/12/15/cyber-product-liability/ The Future of the Military, Law Enforcement and National Security Sat, 26 May 2012 02:10:56 +0000 hourly 1 http://wordpress.org/?v=3.3.1 http://defensetech.org/2008/12/15/cyber-product-liability/#comment-94988 ohwilleke Wed, 17 Dec 2008 22:13:48 +0000 http://deftech.usmilblog.com/?p=4239#comment-94988 Liability to the purchaser for defective software and hardware is almost universally limited by contract to the purchase price. And, in cases of solely economic or intangible injury, those waivers are almost always upheld. Third parties could have a claim, but very often, in instances when military software and hardware harm third parties, the users are entitled to governmental immunity, and this immunity often extends to the harm caused by products used by the military. There are specific exceptions where unintentional injuries caused by government action may be a basis for a lawsuit, set forth in the Federal Tort Claims Act (for federal government employees including soldiers), despite governmental immunity, but those are quite narrow (car accidents, slip and fall, etc.). It is very hard to make out a novel claim under the FTCA. The moral or "should" argument is closely intertwined with the "duty to warn" issue. If it is widely known and expected that software has siginficant security flaws, then it is unreasonable to expect it to be cyber attack proof and the appropriate solution may be to keep sensitive materials off line, or at least disconnected from wide area networks, so that foreseeable harm can be prevented. From a law and economics perspective, the theory says that responsibility should be placed on the person who can prevent the harm at the lowest cost. If chosing a Mac or Linux system over one made by Microsoft at a modest cost, for example, perhaps the best solution is for the people who have sensitive systems to avoid using Microsoft products. The utter inabilty of Microsoft and a number of other vendors to make secure software, despite vast resources and potential marketing benefits associated with doing so, strongly implies that it is very costly or even impossible to make their products both publicly useful and secure. Liability to the purchaser for defective software and hardware is almost universally limited by contract to the purchase price. And, in cases of solely economic or intangible injury, those waivers are almost always upheld.
Third parties could have a claim, but very often, in instances when military software and hardware harm third parties, the users are entitled to governmental immunity, and this immunity often extends to the harm caused by products used by the military. There are specific exceptions where unintentional injuries caused by government action may be a basis for a lawsuit, set forth in the Federal Tort Claims Act (for federal government employees including soldiers), despite governmental immunity, but those are quite narrow (car accidents, slip and fall, etc.). It is very hard to make out a novel claim under the FTCA.
The moral or “should” argument is closely intertwined with the “duty to warn” issue. If it is widely known and expected that software has siginficant security flaws, then it is unreasonable to expect it to be cyber attack proof and the appropriate solution may be to keep sensitive materials off line, or at least disconnected from wide area networks, so that foreseeable harm can be prevented.
From a law and economics perspective, the theory says that responsibility should be placed on the person who can prevent the harm at the lowest cost. If chosing a Mac or Linux system over one made by Microsoft at a modest cost, for example, perhaps the best solution is for the people who have sensitive systems to avoid using Microsoft products. The utter inabilty of Microsoft and a number of other vendors to make secure software, despite vast resources and potential marketing benefits associated with doing so, strongly implies that it is very costly or even impossible to make their products both publicly useful and secure.

]]> http://defensetech.org/2008/12/15/cyber-product-liability/#comment-94987 Brian Tue, 16 Dec 2008 23:47:02 +0000 http://deftech.usmilblog.com/?p=4239#comment-94987 Obviously it depends upon the vulnerability in question. Like any products liability case, it will turn upon 1) what the company knew, 2) what the product could reasonably be expected to do, and 3) the nature of the failure. There is a big difference between a hacker busting through a well designed system and a company knowingly putting out an OS that had massive security flaws. Obviously it depends upon the vulnerability in question. Like any products liability case, it will turn upon 1) what the company knew, 2) what the product could reasonably be expected to do, and 3) the nature of the failure.
There is a big difference between a hacker busting through a well designed system and a company knowingly putting out an OS that had massive security flaws.

]]> http://defensetech.org/2008/12/15/cyber-product-liability/#comment-94986 Jim Harvey Tue, 16 Dec 2008 19:03:30 +0000 http://deftech.usmilblog.com/?p=4239#comment-94986 The case would not be parallel to some one building you a fence but leaving a hole in it that the bad guy got through. That would imply some one knows how to make a perfect fence that can't be breached. It is more like some one built you a fence, which is a great fence. But some bad guy made himself a pole vault and took advantage of the fence's natural vulnerabilities. It would be outrageous to hold a company liable for the cleverness of a separate party. The case would not be parallel to some one building you a fence but leaving a hole in it that the bad guy got through. That would imply some one knows how to make a perfect fence that can’t be breached.
It is more like some one built you a fence, which is a great fence. But some bad guy made himself a pole vault and took advantage of the fence’s natural vulnerabilities.
It would be outrageous to hold a company liable for the cleverness of a separate party.

]]> http://defensetech.org/2008/12/15/cyber-product-liability/#comment-94985 SpyGuy Tue, 16 Dec 2008 14:48:32 +0000 http://deftech.usmilblog.com/?p=4239#comment-94985 Mac Dream on Alice (Mac) - the software industry has not fixed the problem in two decades so why would anyone think they will without the threat of litigation. Not only that , but they have demonstrated their mindset by not disclosing know vulnerabilities to officials time and time again. Not only that but in some cases they take years to fix the bugs. Wonderland with fewer or no software vulnerabilities is right around the corner! Mac
Dream on Alice (Mac) — the software industry has not fixed the problem in two decades so why would anyone think they will without the threat of litigation.
Not only that , but they have demonstrated their mindset by not disclosing know vulnerabilities to officials time and time again. Not only that but in some cases they take years to fix the bugs.
Wonderland with fewer or no software vulnerabilities is right around the corner!

]]> http://defensetech.org/2008/12/15/cyber-product-liability/#comment-94984 Mac Tue, 16 Dec 2008 12:06:48 +0000 http://deftech.usmilblog.com/?p=4239#comment-94984 Yeah, more lawsuits are ALWAYS the answer. Have you considered that maybe a vulnerability (oh, sorry, a "cyber" vulnerability) may be (cyber)fixed faster if that (cyber)company isn't also tied up in court? Is this supposed to be some kind of fear tactic? Yeah, more lawsuits are ALWAYS the answer. Have you considered that maybe a vulnerability (oh, sorry, a “cyber” vulnerability) may be (cyber)fixed faster if that (cyber)company isn’t also tied up in court?
Is this supposed to be some kind of fear tactic?

]]> http://defensetech.org/2008/12/15/cyber-product-liability/#comment-94983 A Tue, 16 Dec 2008 03:47:50 +0000 http://deftech.usmilblog.com/?p=4239#comment-94983 Although everyone loves throwing the words "cyber" around, I think this is essentially just a basic security issue. If you throw enough time and resources at something it can be made relatively secure, but in doing so you might make it so hard to use that it isn't even worth using. Eventually it'll be nice and secure, but unusable; or the development will take so long we're a full generation behind. The AF has had problems "securing" our nuclear weapons, what level of security do you expect from the private sector? When you consider a basic service outage as a cyber attack, then you have to remember that any yahoo can walk over to a manhole cover somewhere and simply cut the wires. Although everyone loves throwing the words “cyber” around, I think this is essentially just a basic security issue. If you throw enough time and resources at something it can be made relatively secure, but in doing so you might make it so hard to use that it isn’t even worth using. Eventually it’ll be nice and secure, but unusable; or the development will take so long we’re a full generation behind.
The AF has had problems “securing” our nuclear weapons, what level of security do you expect from the private sector? When you consider a basic service outage as a cyber attack, then you have to remember that any yahoo can walk over to a manhole cover somewhere and simply cut the wires.

]]> http://defensetech.org/2008/12/15/cyber-product-liability/#comment-94982 C. Juergens Mon, 15 Dec 2008 19:06:22 +0000 http://deftech.usmilblog.com/?p=4239#comment-94982 MIT Technology Review discussed this issue last year, although with a different slant: http://www.technologyreview.com/computing/12887 MIT Technology Review discussed this issue last year, although with a different slant:
http://www.technologyreview.com/computing/12887

]]>