After I put my most recent post on LinkedIn, noted ICS security guru (and S4 founder) Dale
Peterson made a good comment, which turned into a
chain of comments and replies between the two of
us. Because I think the conversation was valuable, I’m reproducing most of it
(along with commentary of my own in italics) here.
1.
I had stated in my first
post on this topic that I basically agree with the statement on page 20 of
the White House cyber strategy document,
which strongly implies that suppliers shouldn’t be able to “fully disclaim
liability”. Or at least, I agree that any such disclaimer shouldn’t be buried
in a 100-page agreement the user has to sign before they can use the software
at all. However, if the supplier feels they can’t even offer the product to the
public unless they disclaim or limit liability and they provide a separate
agreement just addressing liability, I think they should be able to do that. If
the user doesn’t want to sign away liability even if that means they can’t use
the product, they’ll be free to do that. At the same time, the supplier will need
to refund any money the user has already paid, if they won’t sign the separate
liability provision.
2.
Soon after the second
post (my most recent one) appeared, Dale made a general comment and I replied, “What's
amazing is that the author of this section thinks it's even possible to ‘shift
liability’. In our legal system, liability is established by a court case. The
government doesn't have any power to decide liability beforehand.”
3.
Dale replied to my
comment that, “I wouldn't go that far. Congress can pass laws that shift
liability. The much in the news Section 230 is a great example of this. (It’s) Less
clear that the Executive Branch can shift liability, except perhaps via DoJ
bringing cases to court.”
4.
I replied to Dale, “I’m
sure you know better than I do, but it seems to me that liability is always a
question of the circumstances of each case. Here, we're talking about cyber
breaches. Can even Congress pass a law that says the supplier is the one liable
in every breach, or at least that the default assumption is that they're
liable?” I added, “I'm sure the executive branch can't do that, although I know
a lot of presidents have tried.”
5.
Dale replied, “Channeling
my Schoolhouse Rock ... Congress passes the bills, Executive signs them,
Judiciary judges them. Section 230 is a good example. Congress passed and
Executive signed the Communications Decency Act. Section 230 provides immunity
to liability for online computer services with respect to third-party content
generated by its users. Now there are cases that have made it all the way up to
the Supreme Court saying Congress can't free them from this liability.
Would it be wise for Congress to pass something that will be struck down by the
courts? Of course not. I think your points in the article were quite good and
hadn't really been discussed post Strategy announcement.”
6.
I replied, “Thanks,
Dale. However, in this case the WH seems to be assigning liability to the
software suppliers, not removing it. That strikes me as something almost like a
bill of attainder,
which was explicitly prohibited in the Constitution. The suppliers can be held
liable now, of course (although it’s important to remove those buried
disclaimers of liability in the usage agreements we all sign without reading,
or at least declare those unenforceable), but there needs to be a trial to
determine that fact. The WH seems to want to skip the trial altogether, and
proceed right to the sentence.”
7.
Dale replied, “A lot
of what is in the strategy requires legislative action and the Biden
administration is aware of this. You see this in the text and in the briefings
they have been giving. Even a lot of the regulatory things they want to do will
require Congress to give the Executive branch more regulatory power.”
8.
I replied to Dale, “There's
a difference between regulations and liability. Absolutely, Congress can give
CISA (since that's the agency that's behind this section, I'm sure) regulatory
authority. But Jen Easterly has said that CISA isn't a regulator - and I think
that's a good position for them to take.
However, it seems like CISA is trying to develop a back door for themselves by
saying the suppliers are by default liable for breaches, and then hoping this
will scare them into good practices. The problem with this approach is that,
instead of reasonable regulatory fines, now the suppliers will be subject to
potentially huge damage awards for large breaches.
I'm not very worried that this will happen, of course, since it will have a
huge inhibitory effect on software suppliers and Congress will never approve
it. So, if CISA wants to use the coercive approach, they should just become
regulators and be done with it.
But since CISA doesn't want to be a regulator, they shouldn't then turn around
and be an executioner. They should figure out positive incentives for suppliers
- but also for users, since they're as often the cause of breaches as the
suppliers are.”
9.
The next day, I made
another comment, “I do want to add that I don't object to a supplier having to
pay a huge damages award, if they're found in a trial to be liable for an
especially serious breach. What I do object to is the government's putting
their thumb on the scales of justice, so that the liability will be determined
without a trial at all. That's the ‘solution’ adopted by the cowboys in my
post.”
That’s where the conversation
ended. I think Dale and I are in agreement on all points, to wit:
A.
Whatever the WH wants
to do in this section, it will require Congressional action. And since I think
it would be hard to get Congress to name a post office after George Washington
nowadays, I’d say the chance of such action is effectively nil. So this is
currently a moot point.
B. There’s a difference between regulation and assigning liability. Neither of us thinks regulation should be ruled out, but (and this is my opinion, since I haven’t discussed it with Dale) I think the only type of regulation that makes sense, when it comes to cybersecurity, is risk based: i.e., a requirement that the entity should “identify and assess” the risks they face regarding a particular domain like supply chain security, then develop a plan to mitigate the most serious risks – and follow that plan.
Since 2013, I’ve probably written at least 4-500 posts on the NERC CIP cybersecurity requirements, which used to be oppressively prescriptive but now are entirely risk based (or at least the new requirements are risk based. Unfortunately, the prescriptive requirements are still mostly on the books). For example, CIP-013, the supply chain cybersecurity risk management standard, is entirely risk based (perhaps to a fault, since it provides far too little guidance on what it means to comply with it, IMO).
C.
But assigning
liability up front, so that the supplier is assumed to be liable (and perhaps
for a lot of money), unless they can prove they’re not liable, is pure overreach,
and frankly Orwellian to boot.
Last August, I wrote a post
that described another bit of Executive Branch overreach, in that case rolling
out some “voluntary” cybersecurity requirements for critical infrastructure,
while at the same time making it perfectly clear that critical infrastructure
operators had no choice but to follow those requirements (of course, since
there are hundreds of ways that the federal government touches any private
organization every day, this is without doubt a threat to make life difficult
for them if they didn’t do what they were being told to do). I started by
saying,
Bad things happen when government
agencies try to take the easy route, rather than the right one, to achieve
their goals. And if the agency is trying to get private organizations to do
something that they just know is the right thing for them to
do, they’re even more tempted than normally to take the easy route. After all,
their goals are righteous! How can anybody complain if they’re just doing
everything they can to achieve those goals?
This paragraph applies perfectly
to what Dale and I discussed on LinkedIn.
My former economics professor
Milton Friedman, when the Ford administration had just put in place wage and
price controls, said in class, “Now we have ‘voluntary’ wage and price controls
– meaning, ‘You’ll voluntarily do this or you’ll get your head cut off.’”
Any opinions expressed in this
blog post are strictly mine and are not necessarily shared by any of the
clients of Tom Alrich LLC. If you would
like to comment on what you have read here, I would love to hear from you.
Please email me at tom@tomalrich.com.
What a thoughtful post, Tom. Risk shifts are always complicated. It’s a topic that was discussed endlessly in the early CIP days. Before that in the 80s I think, it was discussed endlessly again in Title 10 space when the NRC started shifting towards performance based regulation.
ReplyDeleteI will reread this just so I can understand the nuanced differences between your and Dales position.
Thanks, Tim! It's nice to hear from you; been a while. When you understand the differences between our positions, please let me know and I'll publish it. Because I don't see a substantial difference now.
ReplyDelete