Wednesday, March 8, 2023

Better security through software product liability?

This is interesting:

The Biden administration’s new National Cybersecurity Strategy takes on the third rail of cybersecurity policy: software liability. For decades, scholars and litigators have been talking about imposing legal liability on the makers of insecure software. But the objections of manufacturers were too strong, concerns about impeding innovation were too great, and the conceptual difficulties of the issue were just too complex. So today software licenses and user agreements continue to disclaim liability, whether the end user is a consumer or an operator of critical infrastructure. With this new strategy, the administration proposes changing that.

The strategy’s discussion of the issue starts with an incontrovertible point: “[M]arket forces alone have not been enough to drive broad adoption of best practices in cybersecurity and resilience.” Indeed, the strategy goes on to note, market forces often reward those entities that rush to introduce vulnerable products or services into our digital ecosystem. Problems include the shipping of products with insecure default configurations or known vulnerabilities and the integration of third-party software with unvetted or unknown features. End users are left holding the bag, and the entire ecosystem suffers, with U.S. citizens ultimately bearing the cost.

We must begin, the administration says, to shift liability onto those who should be taking reasonable precautions to secure their software. This will require three elements, according to the strategy: preventing manufacturers and service providers from disclaiming liability by contract, establishing a standard of care, and providing a safe harbor to shield from liability those companies that do take reasonable measurable measures to secure their products and services. Together, the three points are based on a recognition that the goal is not perfect security but, rather, reasonable security.

The Devil is in the details, of course, but conceptually this seems pretty reasonable.  Whether this will be used by big software companies lobbying Congress to hobble dangerous competitors, or to squash Open Source software remains to be seen.

8 comments:

Skeptic said...

A great idea but will it work and can it be enforced. The computer hardware/software industry is not the only one pushing out questionable products. Big Pharma is as bad as or worse than the computer industry as we've seen with the Covid vaccine fiasco. The auto industry, on the other hand, has been forced to be responsible for some of their products.

juvat said...

I would say your last sentence is the Raison D'Etre! Get those folks to stop building software that competes with Big Software (my phrase, but it sings to me).

Chuck Pergiel said...

Linked

Old NFO said...

Gotta agree with Skeptic, but it 'might' stop MS and others from using the general public as their 'test bed'... sigh

Barbarus said...

This would stop open source in its tracks; no-one is going to contribute code to anything if it would mean them potentially being held liable for some insecurity that a court full of non specialists might (possibly thirty years later) decide they should have anticipated. Since pretty much everything from your phone to the world's largest data centre is full of open source ... everything stops in its tracks.

Well, there is one way around it: open source licences (probably commercial ones too) could be amended to include some language to the effect that "you may not use this software within any jurisdiction that imposes a legal liability for insecurity" whereupon every datacentre, especially the likes of Amazon AWS and Google has to move to an offshore location. Your phone would simply get remotely bricked, possibly after an apparently-minor update to the Terms and Conditions to make that legal.

danielbarger said...

Lots of things sound good in theory. It's the implementation that sucks. In the hands of corrupt politicians and rich businesses such legislation will almost certainly be abused.

BillB said...

That last sentence is the clincher. The dangerous competitor is Open Source. I think Barbarus nailed it. We will be back to the good old days where software is very expensive and still buggy. Thing is it will only be Apple, Microsoft and the big Unix companies in the game.

matism said...

Anyone wanna bet that they will let Microsoft write the rules?