Sen. Mark Warner of Virginia, the top Democrat on the Senate Intelligence Committee, says the nation desperately needs an overarching cybersecurity strategy.
More surprisingly, eliminating software makers’ long-held exemption from liability lawsuits could be a key part of a cybersecurity plan, he says.
“We need a cybersecurity doctrine, and that raises questions, including on software liability,” Warner said at a March committee hearing on its Russia probe and election security.
A couple of weeks earlier, at the annual South by Southwest conference in Austin, Texas, Warner told an audience of techies that a “fulsome debate” is needed about whether the software sector’s legal immunity has outlived its usefulness, especially in an age of relentless cyberattacks that frequently exploit software vulnerabilities.
He says subjecting the software industry to legal exposure for flaws in their products is one way to get the private sector to improve their cybersecurity.
Software makers typically say in their seldom-read user license agreements that essentially the developer can’t be sued. So far, courts have sided with the software developers in civil suits.
That liability protection is rooted in case law, not in statute, and in theory could be overturned by legislation or perhaps even regulation, according to some observers.
But lawmakers and regulators have generally accepted the idea that greater legal exposure could freeze or even kill the vibrant, but inherently risky, software industry.
Still, former Homeland Security Secretary Tom Ridge in an interview echoed the national security imperative for considering the elimination of the software liability exemption. “This is a great policy question that should be discussed,” Ridge said. “There may be advantages to [the legal immunity], but we’re in a state of war and developers should be a lot more stringent. … Let’s decide as a country if they should have that protection.”
Warner said in an interview that “a debate in Congress is long overdue” on the legal immunity for software products and that he is “working on the beginning of a framework” for having that discussion.
“I think what he has in mind is starting a conversation — with hearings, with briefings, with member-level meetings. Something that’s smart and nuanced, with significant input from industry,” said a source close to Warner.
The congressional Judiciary and Commerce committees have yet to delve into the topic. A Senate Judiciary source said that committee would probably wait to see what Warner has in mind before considering hearings or other steps.
Software companies were reluctant to comment publicly, but one source close to the industry said, “Over the last several years the software industry has increased its focus to improve their secure code development practices.
“I do not subscribe to the belief that the biggest problem in cybersecurity is that software companies cannot be sued for errors in their code. I am not confident there is anything to be gained in pursuing this discussion since it does not address the fundamentals of the challenge, which is that the economics favor the attackers. With everything that needs to be done, I don’t see the value in focusing on an issue that will only drive wedges within the larger community. This could get real ugly.”
A business source from another sector noted that software makers would fight efforts to strip their liability protection, and that other industries would oppose — or at least not publicly support — removing legal immunity. “On the other hand,” the source said, “we would benefit from more rigorous security features in the software.”
Former White House Cybersecurity Coordinator Michael Daniel agreed that the time is right for a discussion. But he cautioned: “I’m not sure you can generalize a dialogue like this to all software. I think it requires a more sectoral approach, such as medical devices or autonomous vehicles.”
Daniel said “as a society, we need to think this issue through,” adding that “just because we decided that business productivity software manufacturers should not be held liable for security flaws in their products during the growth period of this industry in the 1990s does not mean all software manufacturers for all applications in all industries should get the same exemption forever.”
The Federal Trade Commission would be the best starting point, said a former senior cybersecurity official in the Department of Homeland Security during the Obama administration.
“We’re not starting from scratch,” the ex-official said, noting that the Defense Department is using procurement rules to hold suppliers responsible for the security of their products.
“That’s the beginning of a process, but the problem is, the market is chaotic, the buyers of these products are ‘distributed,’ so you have to end up with the government speaking for the market, probably through the FTC,” the source said.
Any legislation would be difficult to pass regardless of which party controls Congress, the source pointed out.
“In order to have this conversation with users, the big-company buyers [of software products], the manufacturers, you need to have standards on what is acceptable,” the source said. “Software sold to critical infrastructure should meet higher standards than that in consumer products. But there are standards out there” that could be applied.
A dialogue needs to start on creating incentives for software makers to better secure their products, the source said — an argument that has at least one well-placed congressional advocate in Warner.
