RSA 2012: Are Software Liability Laws Needed?

Infosecurity
March 1, 2012

Software liability laws are needed to hold software companies accountable for making faulty products, argued Bruce Schneier, chief technology security officer with BT during a pro-con debate held Wednesday at the RSA Conference.

Schneier said that liability laws would transfer the economic cost for faulty software from the user to the developer and provide an incentive for the developer to fix the problem.

He compared the situation of the software market to the early days of the automobile industry when Congress passed laws that held auto manufacturers responsible for faulty vehicles that caused accidents. This prompted the auto industry to begin fixing the problems, such as stop using wooden wheels that would fall apart at high speeds.

"The only way to convince vendors to actually fix the problem is to make it in their financial interest to do so. Right now, most of the costs of insecure software are not being borne by the software vendors", Schneier said.

"Liability laws raise the cost of making insecure software. They allow us to tweak the risk equation until the CEO cares", he added.

Taking the opposing view, Marcus Ranum, chief security officer with Tenable Network Security, argued that liability laws would stifle innovation. He said that government intervention in the form of liability laws and/or regulation would prevent companies from creating innovative software products that "don't suck."

"Liability equals regulation. We are going to have to rein in the software industry and bring it under some type of control. We are all aware of the kinds of problems that come when you take a vibrant, growing, innovative industry and begin to apply government regulations", Ranum said. "I can't think of many industries that have gotten significantly more innovative as a result of regulation", he added.

Ranum said that the market works to impose "liability" on software vendors. "If the product from a vendor isn't good, sooner or later consumers might actually stop buying it. The 'liability' for the vendor is that it should go out of business for making something bad", he argued.

Based on a real-time survey of the audience members using phone texting, Schneier won the debate, receiving around three-quarters of the audience vote.

earlier story: RSA 2012: Schneier on Why Anonymous Is Not a Group and Why They're Certainly Not As Good As You Think They Are
later story: Stuxnet Cyberattack by US a "Destabilizing and Dangerous" Course of Action, Security Expert Bruce Schneier Says
back to News and Interviews

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..