Software liability is coming

By

[Blog post] It’s only a matter of when.

The new year started badly for networking multinational D-Link after the US FTC kicked off legal proceedings claiming the company failed to secure a variety of its self-proclaimed un-hackable products.

Software liability is coming

There's a bigger focus on weak device security at the moment given the severity of last year's massive distributed denial of service attacks on Brian Krebs’ website and on DNS provider Dyn’s network infrastructure.

The FTC has started investigating companies whose security practices are remiss, and recently settled the high-profile Ashley Madison case based on the public disclosure of how inadequate the company’s data security measures were.

We're getting closer to this in Australia - the long-awaited data breach notification bill that was meant to be passed last year should come into force this year, but while this is a good first step, addressing the issue of liability is a much bigger process.

Having to report serious data breaches to the OAIC - as proposed under the draft legislation - is great, but doesn't penalise equipment vendors for the sloppy development practices and insecure products that lead to breaches.

This issue of liabilty is not new. Vendors have long forced us to sign license agreements that remove their liability for damages caused as a result of flaws in their technology.

And we know that nothing will change unless vendors are incentivised to spend more money on secure development and testing processes; these are expensive and typically slow down their release cycles, which could see them lose market share.

The only real way to address this issue is to focus on the economics: it needs to be worth the company’s time and money to improve its product security, otherwise it will accept the risk and rely on the license agreement that obviates it from responsibility.

We need a change in law that sees the risk being owned by the vendor as much as the end user.

The shift towards vendor liability has certainly begun: the D-Link case demonstrates that the US government is taking vendor claims of security very seriously.

The real gamechanger, however, is the internet of things.

Now that commercial software is driving our cars, flying our planes, and dispensing our medicines, the ramifications of a security flaw being exploited become so much more powerful.

When the safety of individuals comes into play, our country’s legal apparatus will need to be flexed to distribute software liability more fairly. 

2017 won’t be the year where everything changes, but it's unlikely to be long before vendors will be forced to take on some of the risk of using their software. 

Got a news tip for our journalists? Share it with us anonymously here.
Tags:
Tony Campbell
Tony Campbell has been a technology and security professional for over two decades, during which time he has worked on dozens of large-scale enterprise security projects, published technical books and worked as a technical editor for Apress Inc.

He was was the co-founder of Digital Forensics Magazine prior to developing security training courses for infosec skills.

He now lives and works in Perth, where he maintains a security consulting role with Kinetic IT while continuing to develop training material and working on fiction in his limited spare time.

Read more from this blog: Unpatched

Most Read Articles

Services Australia's sweeping security uplift plans for myGov

Services Australia's sweeping security uplift plans for myGov

Medibank allegedly missed EDR alerts before data breach

Medibank allegedly missed EDR alerts before data breach

Northern Beaches Council reviews security stack to shore up widening perimeter

Northern Beaches Council reviews security stack to shore up widening perimeter

CrowdStrike rejects Delta Air Lines claims over outage

CrowdStrike rejects Delta Air Lines claims over outage

Log In

  |  Forgot your password?