Software Security: Too Little Vendor Accountability, Experts Say

Actual legislation is a long shot and a decade away, but policy experts are looking to jump-start the conversation around greater legal liability for insecure software products.

Windows license agreement screen capture
Source: Nick Lylak via Alamy Stock Photo

While legal legwork is already in progress to hold software vendors liable for delivering insecure products, actual laws and penalties are at least a decade away, says one policy expert who'll be speaking at next week's RSA Conference.

Greater accountability for insecure software vendors has the support of the Biden White House. However, licensing and contract protections have shielded companies whose vulnerable products have cost customers millions, according to James Dempsey, senior policy adviser/technology and governance lecturer, Stanford Program on Geopolitics/UC Berkeley Law School.

Dempsey will moderate a detailed discussion of proposed legal frameworks for software liability at this year's RSA, giving vendors a glimpse at the liability landscape. He'll be joined by Nick Leiserson, assistant national cyber director, cyber policy and programs, Office of the National Cyber Director; Bruce Schneier, security technologist, researcher, and lecturer, Harvard Kennedy School; and Chinmayi Sharma, associate professor, Fordham Law School.

"Right now, almost all software developers have language in their licenses or other contracts or terms of service in which they disavow any liability for any flaws in their products," Dempsey explains.

He uses the example of the Microsoft license on his own laptop to illustrate.

"For example, the Microsoft license for the operating system on my laptop says: 'You may not under this limited warranty, under any other part of this agreement, or under any theory, recover any damages or other remedy, including lost profits or direct, consequential, special, indirect, or incidental damages,'" Dempsey tells Dark Reading. "The damage exclusions and remedy limitations in this agreement apply even if Microsoft knew or should have known about the possibility of the damages."

That's how vendors have been evading legal liability for their customer's damages, and in some cases, collecting cyber insurance payouts instead.

Progress Software, whose vulnerable MOVEit file transfer software led to the breach of more than 600 organizations and the compromise of the personal information of more than 40 million people, has so far evaded liability for its customer losses. Instead, Progress filed an 8-K form with the Securities and Exchange Commission that outlined the company's intent to collect on its full $15 million cyber-insurance policy coverage.

While there is a class-action consumer rights litigation against Progress Software for negligence and breach of contract, there are no legal protections for its customers, which in other industries could be enforced under an agreed upon legal "standard of care," according to a recent paper, "Standards for Software Liability: Focus on the Product for Liability, Focus on the Process for Safe Harbor," published by Dempsey in Lawfare. The paper outlines Dempsey's theory for the right path toward holding vendors legally liable for the cybersecurity of their products.

Okta is another software vendor that has exposed its customers to cyberattacks — and losses. September cyberattacks against Caesars Entertainment and MGM Resorts used Okta as an initial attack vector. Losses related to the cyberattacks at the hospitality giants racked up hundreds of millions in costs; both in lost earnings, as well as ransomware payouts.

By the end of 2023 Okta confirmed that an unauthorized user was able to gain access to data on 100% of its customers.

Why Strong Software Developer Liability Protections Also Matter

Holding developers liable for knowingly producing insecure tools requires carefully considered guidelines for what is a reasonable level of cybersecurity to expect from a software vendor in order to determine egregious outliers, Dempsey explained.

"Because there is general agreement that the manufacturers of software should not be made insurers of their products but rather should be liable only when a product is unreasonably secure, getting software liability right turns a lot on defining a standard of care," Dempsey's Lawfare article read.

This standard would include defects analysis already widely used in products liability law, the article added.

Dempsey also advocates a software developer "safe harbor" for hard-to-detect flaws. "For that, I would turn to a set of robust coding practices," Dempsey wrote.

Dempsey tells Dark Reading the Biden Administration realizes legislation will be necessary to achieve its goal of holding insecure software developers liable, which he adds they also understand is a long shot: "They see this as a 10-year issue."

Dempsey will moderate a detailed discussion of proposed legal framework for software liability on Monday, May 6, during RSA in San Francisco at 8:30 a.m. PT, giving vendors a glimpse at the liability landscape to come.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights