Should Vendors be Liable for Their Software's Security Flaws?

  • Bruce Schneier
  • Network World
  • April 22, 2002

Network security is not a technological problem; it’s a business problem. The only way to address it is to focus on business motivations. To improve the security of their products, companies – both vendors and users – must care; for companies to care, the problem must affect stock price. The way to make this happen is to start enforcing liabilities.

The only way to get many companies to spend significant resources to ensure the security of their customers’ data is to hold them liable for misuse of this data. Similarly, the only way to get software vendors to reduce features, lengthen development cycles and invest in secure software development processes is to hold them liable for security vulnerabilities in their products.

Legislatures could impose liability on the computer industry by forcing software manufacturers to be subject to the same product liability laws that affect other industries. Then, if they produce defective products, they will be liable for damages. Even without this, courts could impose liability-like penalties on software manufacturers. This is happening in related cases. Judges have issued restraining orders against companies with insecure networks that are used as conduits for attacks against others. Companies that have used customer data in violation of their privacy promises or collected data using misrepresentation or fraud also have been penalized. A U.S. judge forced the Department of the Interior to take its network off-line because it couldn’t guarantee the safety of American Indian data.

However it happens, liability changes everything. Today, software vendors can add product features and complexity without thinking twice. Liability would force them to consider whether such additions are really necessary.

Once liabilities are established, the insurance industry will step in. Companies will have no choice but to buy network insurance, just as they buy theft or fire insurance today. Liabilities are variable-cost risks. The insurance industry is in the business of turning those risks into fixed expenses. Insurance companies are going to move into cyber-insurance in a big way. And when they do, they’re going to drive the computer security industry, just like they drive the security industry in the brick-and-mortar world. Insurance companies will need mechanisms to reduce risk and will quickly start charging different premiums for different levels of security.

Internet security benefits everyone. In our society we protect our environment, healthy working conditions, safe food and drug practices, and sound accounting practices by legislating and making companies liable for taking undue advantage of them. This kind of thinking is what gives us bridges that don’t collapse, clean air and water, and sanitary restaurants. We don’t live in a “buyer beware” society; we hold companies liable for taking advantage of buyers.

There’s no reason to treat software any differently from other products. When Firestone produced a tire with a systemic flaw, the company was held liable for the resulting damages. Meanwhile, Microsoft can produce an operating system with multiple systemic flaws and not be liable. This makes no sense, and it’s the reason security is so bad today.

Categories: Computer and Information Security, Economics of Security, Laws and Regulations

Sidebar photo of Bruce Schneier by Joe MacInnis.