At a recent conference in Brussels, IT consultant Florian Walther claimed there is one “root cause” of all cyber-security issues – cheap or poorly made software that is “full of bugs and vulnerabilities.” In Walther’s perspective, the myriad challenges of cyber-security could be solved with one, simple step: making software manufacturers liable for their products.
With cyber-security incidents on the rise, finding a way to reduce our vulnerability is a huge national security issue. Yet whilst assigning liability, and thus forcing software vendors to work harder on securing their products, may seem like a wise and simple solution, the complex and adversarial nature of cyber-security calls this method into question.
During the debate, hosted by the Security & Defence Agenda think-tank, Walther asked a fundamental question: “Why do we see all this cyber-crime and attacks going up and up?” For him, the answer is that actors exploit cyber-space because it is easy. And it is easy because of poorly made software.
“Every threat and exploit is based on a vulnerability in our software,” he explained. From personal computer security – where basic programmes like Microsoft Word have been used to facilitate viruses – to the Iranian nuclear centrifuges whose software had “lots and easy to exploit vulnerabilities” used by the Stuxnet virus, software is the key.
As of today, software manufacturers can release software with no certification that it is secure, and escape liability thanks to a “sold as is” clause contained in all licensing agreements. So, by making manufacturers financially liable, argues Walther, they will be forced to patch these holes.
Despite Walther’s claims that this would eliminate 80% of cyber-security incidents over time, here are the problems:
The main issue, as fellow panelist Isaac Ben-Israel pointed out, is that cyber-security is adversarial – a competition between someone trying to get in and the system keeping them out. This adversarial nature of cyber-security makes liability allocation difficult, as a thinking opponent will seek out gaps in a system using all their ingenuity. As Ben-Israel pointed out, “car manufacturers only hold liability for malfunction, but not for damage caused by someone attacking a car.”
Moreover, many have realized that every cyber-security incident has a chain of liability, which includes software providers, but also network managers, the manufacturer of the virus, and the actions of the user. Software manufacturers may stand guilty at the start of this chain, but by the time an incident occurs, potential liability has been spread out across a host of actors. It would be a legislative nightmare to allocate sole responsibility under these conditions.
Currently, public end-users and private citizens pick up the costs of cyber-security, leaving software vendors free to produce fundamentally flawed programmes. But, allocating liability is difficult in cyber-space, and is not a catch-all solution.
Some kind of intelligent combination of new legal and security standards are clearly needed. In Europe, a new EU cyber-crime centre is being set up to help map the scale of the problem. This, and increased numbers of computer emergency response teams (CERTs) are currently the policy solutions of choice. But as Walther indicates, until the private sector can pick up a share of the load, such national efforts could merely end up observing the continued insecurity of cyber-space, not solving it.
Photo Credit: Gleamlight