Wading Back Into the Software Liability Cesspool
Time must be a flat circle—it seems that every couple of years, someone brings up the topic of software liability. Just stay in one place, and soon enough, the train will come back around with folks screaming that software companies are liable for security breaches. This time, it’s Jen Easterly, the impressive head of CISA, who called for legislation to “prevent technology manufacturers from disclaiming liability by contract, establishing higher standards of care for software in specific critical infrastructure entities and driving the development of a safe harbor framework to shield from liability companies that securely develop and maintain their software products and services,” in a speech at Carnegie Mellon this week. There’s a great write-up in the Washington Post about the topic.
To be clear, I am a big fan of CISA and its leader. She is a great role model for security practitioners and has picked up the ball and run with it after Chris Krebs’ unceremonious firing. The concepts of secure-by-design and secure-by-default lauded by CISA are fantastic; all software companies should strive for that. The guidance they provide for users and company alerts about attacks are indispensable. And I love the idea of making EULAs more intelligible and ensuring people understand what rights they are giving up when they click through to get the latest version of Candy Crush.
But the idea of legislating software liability hearkens me back to the Reagan quote, “The top nine most terrifying words in the English language are: ‘I’m from the government, and I’m here to help.’” What is secure enough when applications are assembled using dozens, if not hundreds, of libraries and components from many developers? Let’s take Log4j as an example; who is responsible? Who do you sue when you lose customer data because of a faulty open source library? Who gets a safe harbor because they tried hard? At the end of the day, it seems like it would be pretty subjective.
Many intelligent commentators feared the fallout from the conviction of former Uber CISO Joe Sullivan would deter a large number of folks from taking a CISO job if they could be held liable for a breach at their company. Software liability legislation turns this fear and anxiety up to 11. Who will want to write software when you could get sued because of a library you use? All those folks in garages cooking up the next great software company should make room for a lawyer who will need to become an indispensable part of the founding team.
To be clear, like with product negligence, if an organization clearly and maliciously cuts corners and put customers at risk, they should be held legally accountable. But it’s just not feasible to legislate what is secure and what isn’t. It would be out of date before it finished printing. How do you not create a tort storm in which everyone sues anyone who has anything to do with software?
Though, it seems that Everything Everywhere All at Once is en vogue this year, so maybe we should try it. I’m kidding—this dog hasn’t been able to hunt for the past 10 years and it’s certainly not going to hunt now.
