Monday, May 1, 2023

Is this my last post on the supplier liability question? I certainly hope so…


This is my fifth post dealing with a proposal that I find to be appalling: the proposal by Kemba Walden, Acting National Cyber Director, that suppliers be assumed to be liable for software breaches. The two more notable of my four previous posts are here and here. In the previous posts, I’ve provided multiple reasons why this is a terrible idea, but here’s an analogy:

1.      Suppose someone were to propose that, because at a four-way intersection without a traffic light, the driver on the right has the right of way, in case of an accident at such an intersection, liability will normally rest with the driver on the left. Sounds sensible, right?

2.      However, some malcontent might ask, “What if the driver on the right ignores the stop sign and plows into the other driver, who obeyed their stop sign? Will the latter driver still be deemed liable?”

3.      “Of course not,” the proposer might say, “Let’s amend the proposal to say that the driver on the left is liable only in cases where the driver on the right obeys their stop sign.”

4.      The malcontent agrees that’s a good idea, then asks, “What about if the driver on the right stops for their sign, but their judgment is impaired by drugs or alcohol, and they don’t even know there’s another car in the intersection?”

5.      The proposal will then be further amended to say, “The driver on the left is liable in cases where the driver on the right obeys their stop sign and is not driving impaired.”

6.      But what if the driver on the right is sober and obeys the stop sign, but has been carried away by an emotional text message exchange with his soon-to-be-ex-girlfriend and is absorbed with completing his triumphant final text – so he doesn’t even see the driver on the left as he pulls into the intersection after stopping for his sign?

7.      Of course, that will require a further change to our rule. Moreover, I’m sure you can think of at least five or ten more changes that would be needed, without breaking a sweat. I certainly could.

Of course, this will quickly become a very complicated rule. And, even if the driver on the left in an accident is dead sure that the driver on the right met all ten (or whatever the number is) conditions, it’s very likely that the driver on the right isn’t going to simply agree with them. Will that driver be bound and gagged if they try to assert that there’s another condition that makes them not liable – say, the driver on the left was clearly inebriated and didn’t even try to avoid an accident (remember, failure to avoid an accident is a violation in most states, not just causing one)?

Actually, in the United States (as well as most other civilized countries, I would hope) the driver on the right doesn’t have to simply cave on this issue; they can contest the assertion that they’re liable. This is thanks to a recent innovation in societal governance: It’s called a trial before a judge or jury. Under this recent innovation (where, by “recent” I mean something that has come into being in the last thousand years, since its invention in medieval England), neither side in a dispute is assumed to be liable until a judge and/or jury can hear what they have to say (including any evidence they want to present) and make their decision.

I suggest that, even though this is obviously a very old idea and most likely wasn’t originally intended to apply to the concept of software breaches, it’s probably worth retaining – rather than instead asserting that liability for software breaches always rests with the software supplier, except in exceptional cases to be determined by someone who works in the White House.

Fortunately, I’m pleased to report that it seems some rationality has crept stealthily into the national conversation. See the opening paragraph of this article in Nextgov (which BTW I think is a very good newsletter to subscribe to, both for insights on the federal government and on cybersecurity in general):

Biden administration officials are pushing to make technology manufacturers liable for the security of their products, but the currently divided Congress may stretch out the timeline for instituting non-voluntary solutions. In the interim, some lawmakers, experts and industry leaders have proposed the issuance of cybersecurity investment tax credits to help firms adopt enhanced cyber standards on their own. 

My reactions to this are:

1. It’s stupid to blame the fact that fundamental changes to the US legal system aren’t going to go anywhere on the fact that Congress is “currently divided”. I would hope that even a non-divided Congress would realize how damaging it would be to institute a liability rule like this. There’s almost no aspect of human behavior that would be untouched if this were to happen, for example, “Ma’am, it doesn’t matter that you assaulted this man because he had threatened your child and was walking toward her. You were the one that initiated the assault, which means you’re liable”, or “Sir, I sympathize with the fact that you entrusted your life savings to someone who blew them away during one night at the casino. But you signed a document saying you understood that all investing carries risk, and that means the man who took your savings is not liable for your problem.”

2. The second sentence of the article lays out a two-part solution to the issue of securing software (and that is the issue here, right? It’s not that we’re out to punish software suppliers with every penalty up to imprisonment or death, just because we feel like punishment is good for the soul? Frankly, it seems that punishment is really the end goal of this proposal, with secure software just a nice-to-have side effect).

Note that the first part of the solution is “enhanced cyber standards”. I’m fine with that, although I’ll point out that there’s no agency of the federal government, other than the military, the intelligence agencies, the Nuclear Regulatory Commission, or the FDA (and then just for medical devices), that currently has any power to regulate software or intelligent device suppliers, other than for safety concerns. Maybe there will be an agency like this in five years, but I’m sure it won’t be any earlier than that (and anyone who thinks this agency is needed should start advocating for it now, since I have never even heard of a proposal for such an agency).

The second part of the solution is “cybersecurity investment tax credits”. I’m all for these, although they should apply both to software suppliers and users. In other words, I think both suppliers and users are currently underinvesting in software cybersecurity protections, since the risks have escalated rapidly in recent years (for example, think of how two developments, the SolarWinds attacks and widespread losses due to ransomware attacks, have significantly increased cyber risk for all organizations, both big and small – but disproportionately for the small ones).

Rather than trying to “solve” this problem by bankrupting the organization that we have decided is liable for a breach, how about providing them with a positive incentive to follow guidelines like NIST’s SSDF or the NIST Cyber Security Framework? Sure, we’ll have to forgo some tax revenue from those organizations and that will cost the Treasury some money. But we all bear the costs of cybersecurity breaches, and the full costs of any breach (to all parties affected) are almost never recovered in a court of law or from an insurance policy.

And there’s another reason why targeted tax credits are going to be much more effective than trying to change the US legal system in order to punish software suppliers for…you know…having the temerity to develop software. This is something that can actually happen within the next few years, rather than being a feel-good proposal that has literally zero chance of enactment. And that should count for something.

Any opinions expressed in this blog post are strictly mine and are not necessarily shared by any of the clients of Tom Alrich LLC. If you would like to comment on what you have read here, I would love to hear from you. Please email me at tom@tomalrich.com.

No comments:

Post a Comment