Login | April 26, 2024
CISA director in favor of software companies’ liability for hacks
RICHARD WEINER
Technology for Lawyers
Published: May 5, 2023
Federal Cybersecurity and Infrastructure Security Director Jen Easterly recently gave a presentation in which she echoed numerous cybersecurity experts in calling for Congress to look at holding software companies liable for hacks that occur because of faulty code in the software itself.
This is an old issue, with experts calling for a review of this principle going back more than 20 years.
Most reported hacks, of course are the result of either an employee inadvertently letting a bad actor into a system through phishing or something similar, or by a criminal consortium/ state actor with the resources to hack into a system through brute force or by developing its own attack software.
But there are hacks that take place because something in the code of the system allows them. And that is what Easterly wants to take a look at, as she talked about at during a speech at Carnegie Mellon University.
“Government can work to advance legislation to prevent technology manufacturers from disclaiming liability by contract, establishing higher standards of care for software in specific critical infrastructure entities and driving the development of a safe harbor framework to shield from liability companies that securely develop and maintain their software products and services,” Easterly said, as reported by The Washington Post.
Easterly also criticized the mechanics of a consumer acquiring new software or a new device having to click “agree” on a Terms of Service the consumer can’t possibly understand.
Easterly’s speech is a part of CISA’s long-running effort to make software companies create products that are “secure-by-design,” or secure when the product leaves the factory, and “secure-by-default,” meaning that they should be updated automatically without the consumer having to sign a TOS or download updates.
CISA has not directly proposed any of these ideas to Congress yet, but they will be in the Biden administration’s upcoming policy blueprint. But she believes that the issue has bipartisan support, and she seems to be of the opinion that industry shares her concerns. She may want to look a little harder at that last point.
Anyway, this is a real step toward actual progress. But we shall see.