Conversation with Dale Peterson on liability vs. regulation

After I put my most recent post on LinkedIn, noted ICS security guru (and S4 founder) Dale Peterson made a good comment, which turned into a chain of comments and replies between the two of us. Because I think the conversation was valuable, I’m reproducing most of it (along with commentary of my own in italics) here.

1.      I had stated in my first post on this topic that I basically agree with the statement on page 20 of the White House cyber strategy document, which strongly implies that suppliers shouldn’t be able to “fully disclaim liability”. Or at least, I agree that any such disclaimer shouldn’t be buried in a 100-page agreement the user has to sign before they can use the software at all. However, if the supplier feels they can’t even offer the product to the public unless they disclaim or limit liability and they provide a separate agreement just addressing liability, I think they should be able to do that. If the user doesn’t want to sign away liability even if that means they can’t use the product, they’ll be free to do that. At the same time, the supplier will need to refund any money the user has already paid, if they won’t sign the separate liability provision.

2.      Soon after the second post (my most recent one) appeared, Dale made a general comment and I replied, “What's amazing is that the author of this section thinks it's even possible to ‘shift liability’. In our legal system, liability is established by a court case. The government doesn't have any power to decide liability beforehand.”

3.      Dale replied to my comment that, “I wouldn't go that far. Congress can pass laws that shift liability. The much in the news Section 230 is a great example of this. (It’s) Less clear that the Executive Branch can shift liability, except perhaps via DoJ bringing cases to court.”

4.      I replied to Dale, “I’m sure you know better than I do, but it seems to me that liability is always a question of the circumstances of each case. Here, we're talking about cyber breaches. Can even Congress pass a law that says the supplier is the one liable in every breach, or at least that the default assumption is that they're liable?” I added, “I'm sure the executive branch can't do that, although I know a lot of presidents have tried.”

5.      Dale replied, “Channeling my Schoolhouse Rock ... Congress passes the bills, Executive signs them, Judiciary judges them. Section 230 is a good example. Congress passed and Executive signed the Communications Decency Act. Section 230 provides immunity to liability for online computer services with respect to third-party content generated by its users. Now there are cases that have made it all the way up to the Supreme Court saying Congress can't free them from this liability.
Would it be wise for Congress to pass something that will be struck down by the courts? Of course not. I think your points in the article were quite good and hadn't really been discussed post Strategy announcement.”

6.      I replied, “Thanks, Dale. However, in this case the WH seems to be assigning liability to the software suppliers, not removing it. That strikes me as something almost like a bill of attainder, which was explicitly prohibited in the Constitution. The suppliers can be held liable now, of course (although it’s important to remove those buried disclaimers of liability in the usage agreements we all sign without reading, or at least declare those unenforceable), but there needs to be a trial to determine that fact. The WH seems to want to skip the trial altogether, and proceed right to the sentence.”

7.      Dale replied, “A lot of what is in the strategy requires legislative action and the Biden administration is aware of this. You see this in the text and in the briefings they have been giving. Even a lot of the regulatory things they want to do will require Congress to give the Executive branch more regulatory power.”

8.      I replied to Dale, “There's a difference between regulations and liability. Absolutely, Congress can give CISA (since that's the agency that's behind this section, I'm sure) regulatory authority. But Jen Easterly has said that CISA isn't a regulator - and I think that's a good position for them to take.
However, it seems like CISA is trying to develop a back door for themselves by saying the suppliers are by default liable for breaches, and then hoping this will scare them into good practices. The problem with this approach is that, instead of reasonable regulatory fines, now the suppliers will be subject to potentially huge damage awards for large breaches.
I'm not very worried that this will happen, of course, since it will have a huge inhibitory effect on software suppliers and Congress will never approve it. So, if CISA wants to use the coercive approach, they should just become regulators and be done with it.
But since CISA doesn't want to be a regulator, they shouldn't then turn around and be an executioner. They should figure out positive incentives for suppliers - but also for users, since they're as often the cause of breaches as the suppliers are.”

9.      The next day, I made another comment, “I do want to add that I don't object to a supplier having to pay a huge damages award, if they're found in a trial to be liable for an especially serious breach. What I do object to is the government's putting their thumb on the scales of justice, so that the liability will be determined without a trial at all. That's the ‘solution’ adopted by the cowboys in my post.”

That’s where the conversation ended. I think Dale and I are in agreement on all points, to wit:

A.     Whatever the WH wants to do in this section, it will require Congressional action. And since I think it would be hard to get Congress to name a post office after George Washington nowadays, I’d say the chance of such action is effectively nil. So this is currently a moot point.

B.     There’s a difference between regulation and assigning liability. Neither of us thinks regulation should be ruled out, but (and this is my opinion, since I haven’t discussed it with Dale) I think the only type of regulation that makes sense, when it comes to cybersecurity, is risk based: i.e., a requirement that the entity should “identify and assess” the risks they face regarding a particular domain like supply chain security, then develop a plan to mitigate the most serious risks – and follow that plan.

       Since 2013, I’ve probably written at least 4-500 posts on the NERC CIP cybersecurity requirements, which used to be oppressively prescriptive but now are entirely risk based (or at least the new requirements are risk based. Unfortunately, the prescriptive requirements are still mostly on the books). For example, CIP-013, the supply chain cybersecurity risk management standard, is entirely risk based (perhaps to a fault, since it provides far too little guidance on what it means to comply with it, IMO).

C.      But assigning liability up front, so that the supplier is assumed to be liable (and perhaps for a lot of money), unless they can prove they’re not liable, is pure overreach, and frankly Orwellian to boot.

Last August, I wrote a post that described another bit of Executive Branch overreach, in that case rolling out some “voluntary” cybersecurity requirements for critical infrastructure, while at the same time making it perfectly clear that critical infrastructure operators had no choice but to follow those requirements (of course, since there are hundreds of ways that the federal government touches any private organization every day, this is without doubt a threat to make life difficult for them if they didn’t do what they were being told to do). I started by saying,

Bad things happen when government agencies try to take the easy route, rather than the right one, to achieve their goals. And if the agency is trying to get private organizations to do something that they just know is the right thing for them to do, they’re even more tempted than normally to take the easy route. After all, their goals are righteous! How can anybody complain if they’re just doing everything they can to achieve those goals?

This paragraph applies perfectly to what Dale and I discussed on LinkedIn.

My former economics professor Milton Friedman, when the Ford administration had just put in place wage and price controls, said in class, “Now we have ‘voluntary’ wage and price controls – meaning, ‘You’ll voluntarily do this or you’ll get your head cut off.’”

Any opinions expressed in this blog post are strictly mine and are not necessarily shared by any of the clients of Tom Alrich LLC. If you would like to comment on what you have read here, I would love to hear from you. Please email me at tom@tomalrich.com.