This is my fifth post dealing with
a proposal that I find to be appalling: the proposal by Kemba Walden, Acting
National Cyber Director, that suppliers be assumed to be liable for software breaches.
The two more notable of my four previous posts are here
and here.
In the previous posts, I’ve provided multiple reasons why this is a terrible idea,
but here’s an analogy:
1.
Suppose someone were
to propose that, because at a four-way intersection without a traffic light,
the driver on the right has the right of way, in case of an accident at such an
intersection, liability will normally rest with the driver on the left. Sounds
sensible, right?
2.
However, some
malcontent might ask, “What if the driver on the right ignores the stop sign
and plows into the other driver, who obeyed their stop sign? Will the latter
driver still be deemed liable?”
3.
“Of course not,” the
proposer might say, “Let’s amend the proposal to say that the driver on the
left is liable only in cases where the driver on the right obeys their stop
sign.”
4.
The malcontent agrees
that’s a good idea, then asks, “What about if the driver on the right stops for
their sign, but their judgment is impaired by drugs or alcohol, and they don’t
even know there’s another car in the intersection?”
5.
The proposal will then
be further amended to say, “The driver on the left is liable in cases where the
driver on the right obeys their stop sign and is not driving impaired.”
6.
But what if the driver
on the right is sober and obeys the stop sign, but has been carried away by an
emotional text message exchange with his soon-to-be-ex-girlfriend and is absorbed
with completing his triumphant final text – so he doesn’t even see the driver
on the left as he pulls into the intersection after stopping for his sign?
7.
Of course, that will
require a further change to our rule. Moreover, I’m sure you can think of at
least five or ten more changes that would be needed, without breaking a sweat.
I certainly could.
Of course, this will quickly
become a very complicated rule. And, even if the driver on the left in an
accident is dead sure that the driver on the right met all ten (or whatever the
number is) conditions, it’s very likely that the driver on the right isn’t
going to simply agree with them. Will that driver be bound and gagged if they
try to assert that there’s another condition that makes them not liable – say,
the driver on the left was clearly inebriated and didn’t even try to avoid an
accident (remember, failure to avoid an accident is a violation in most states,
not just causing one)?
Actually, in the United States (as
well as most other civilized countries, I would hope) the driver on the right doesn’t
have to simply cave on this issue; they can contest the assertion that they’re
liable. This is thanks to a recent innovation in societal governance: It’s
called a trial before a judge or jury. Under this recent innovation (where, by “recent”
I mean something that has come into being in the last thousand years, since its
invention in medieval England), neither side in a dispute is assumed to be
liable until a judge and/or jury can hear what they have to say (including any
evidence they want to present) and make their decision.
I suggest that, even though this is
obviously a very old idea and most likely wasn’t originally intended to apply
to the concept of software breaches, it’s probably worth retaining – rather than
instead asserting that liability for software breaches always rests with the software
supplier, except in exceptional cases to be determined by someone who works in
the White House.
Fortunately, I’m pleased to report
that it seems some rationality has crept stealthily into the national conversation.
See the opening paragraph of this article
in Nextgov (which BTW I think is a very good newsletter to subscribe to,
both for insights on the federal government and on cybersecurity in general):
Biden administration officials are
pushing to make technology manufacturers liable for the security of their
products, but the currently divided Congress may stretch out the timeline for
instituting non-voluntary solutions. In the interim, some lawmakers, experts
and industry leaders have proposed the issuance of cybersecurity investment tax
credits to help firms adopt enhanced cyber standards on their own.
My reactions to this are:
1. It’s stupid to blame the fact
that fundamental changes to the US legal system aren’t going to go anywhere on
the fact that Congress is “currently divided”. I would hope that even a non-divided
Congress would realize how damaging it would be to institute a liability rule
like this. There’s almost no aspect of human behavior that would be untouched
if this were to happen, for example, “Ma’am, it doesn’t matter that you
assaulted this man because he had threatened your child and was walking toward her.
You were the one that initiated the assault, which means you’re liable”, or “Sir,
I sympathize with the fact that you entrusted your life savings to someone who blew
them away during one night at the casino. But you signed a document saying you understood
that all investing carries risk, and that means the man who took your savings
is not liable for your problem.”
2. The second sentence of the
article lays out a two-part solution to the issue of securing software (and
that is the issue here, right? It’s not that we’re out to punish software
suppliers with every penalty up to imprisonment or death, just because we feel
like punishment is good for the soul? Frankly, it seems that punishment is
really the end goal of this proposal, with secure software just a nice-to-have
side effect).
Note that the first part of the solution
is “enhanced cyber standards”. I’m fine with that, although I’ll point out that
there’s no agency of the federal government, other than the military, the
intelligence agencies, the Nuclear Regulatory Commission, or the FDA (and then
just for medical devices), that currently has any power to regulate software or
intelligent device suppliers, other than for safety concerns. Maybe there will
be an agency like this in five years, but I’m sure it won’t be any earlier than
that (and anyone who thinks this agency is needed should start advocating for
it now, since I have never even heard of a proposal for such an agency).
The second part of the solution is
“cybersecurity investment tax credits”. I’m all for these, although they should
apply both to software suppliers and users. In other words, I think both suppliers
and users are currently underinvesting in software cybersecurity protections,
since the risks have escalated rapidly in recent years (for example, think of how
two developments, the SolarWinds attacks and widespread losses due to ransomware
attacks, have significantly increased cyber risk for all organizations, both
big and small – but disproportionately for the small ones).
Rather than trying to “solve” this
problem by bankrupting the organization that we have decided is liable for a
breach, how about providing them with a positive incentive to follow guidelines
like NIST’s SSDF or the NIST Cyber Security Framework? Sure, we’ll have to
forgo some tax revenue from those organizations and that will cost the Treasury
some money. But we all bear the costs of cybersecurity breaches, and the full costs
of any breach (to all parties affected) are almost never recovered in a court
of law or from an insurance policy.
And there’s another reason why
targeted tax credits are going to be much more effective than trying to change
the US legal system in order to punish software suppliers for…you know…having
the temerity to develop software. This is something that can actually happen
within the next few years, rather than being a feel-good proposal that has
literally zero chance of enactment. And that should count for something.
Any opinions expressed in this
blog post are strictly mine and are not necessarily shared by any of the
clients of Tom Alrich LLC. If you would
like to comment on what you have read here, I would love to hear from you.
Please email me at tom@tomalrich.com.
No comments:
Post a Comment