Should Software Companies Be Legally Liable For Security Breaches?

It’s a truism that all software has bugs and security holes. It’s another that license agreements invariably make software vendors immune to liability for damage or losses caused by such flaws. But, to my surprise, Black Hat’s founder and keynote speaker are arguing that software product liability, presumably mandated by governments, is inevitable. If they’re right, a seismic change is on the horizon.

“I do not see a way forward without software liability,” said Jeff Moss aka Dark Tangent. As software eats the world, industries which are already subject to liability are becoming software companies: Moss called Airbus, Boeing, and Tesla manufacturers of “moving data centers.” The recent Jeep hack highlights the extent to which vehicle manufacturers have become software companies, and vulnerable to software flaws.

But traditional software companies are immune to liability. It’s not, Moss argues, a level playing field. “Market forces will drive us to software liability,” he claims. Keynote speaker (and lawyer) Jennifer Granick similarly believes the Internet of Things will lead to industries accustomed to liability becoming software companies, which will lead to software liability.

But she adds: “I think we’re going to do a really crappy job with software liability for a long time, and the people who will suffer will be the startups and disruptors, not the established companies.”

There’s no doubt that liability would make the software industry take security far more seriously. It would also impose immense costs and slow down the pace of innovation drastically. Even past proponents of software liability, such as Bruce Schneier, say as much:

Today there are no real consequences for having bad security, or having low-quality software of any kind. Even worse, the marketplace often rewards low quality. More precisely, it rewards additional features and timely release dates, even if they come at the expense of quality.

That piece was written in 2003. I think it’s fair to say that the industry is finally beginning to wake up to the importance of security, and also that there are better, faster, less heavy-handed ways to improve it without stifling innovation, strangling growth, and promulgating decades’ worth of unintended consequences. Even other forms of government regulation would be far superior.

For instance, I spoke to Chris Eng, VP of Research at Veracode, who is strongly in favor of mandatory breach reporting, i.e. regulations which dictate that when a company above a certain size is hacked, they don’t merely have to reveal that they were hacked, but they have to provide all available technical details, so that other targets can learn from each new attack.

That doesn’t really happen today. Few companies want to volunteer detailed blow-by-blow technical accounts of what is generally one of their worst days ever. But almost every security expert agrees that mandatory reporting requirements would be hugely beneficial, and making it a regulatory requirement would prevent CISOs from having to sell the unpalatable notion to CEOs, while risking incendiary victim-blaming. (Better yet, merely threatening a regulatory requirement might provoke an industry consensus to make this happen without the need of a law; the best of both worlds.)

Here’s a visual reminder, again, of just how bad things are getting:

Meanwhile, increasingly, your cars and even guns can be hacked. The stakes get higher every year, but software security remains an afterthought for far too many companies. Something, everyone agrees, has to be done.