Should software product makers be held liable for the poor security these products might have? It’s a question on the minds of many, and one being more openly debated amongst those in government, law circles and users of software, than ever before.
Much of the debate is being driven by the almost daily, it would seem, reports of security holes in software: holes exploited by hackers and others to gain access to sensitive information or cause havoc within company systems. The feeling amongst some is that software companies have been lax or indifferent to the issue of security. They say it might be time for government to step into the breach to get companies to start taking security more seriously.
Javad Heydary, managing partner with the legal firm Heydary Hamilton LLP in Toronto, believes pressure is growing amongst users of commercial software for some kind of legislative and legal mechanisms to get companies to improve the security of software products as well as some means to enact remedies when unsecured products cause damage.
Part of this pressure is coming from a shift in the public’s perception of software and technology, Heydary suggested. People no longer see security problems and software failures as a normal part of using technology. “If there is a breakdown or a security breach, we really don’t think ‘OK, this was the result of the software we are using,’” he said. “Instead, we tended to think it was something we did wrong or that (security problems) are just part of doing work online and working with computers.”
This mentality, he believes, is partially fostered by the software industry. If one takes a look at many software agreements, companies disclaim in those agreements almost any liability for damages the product can cause to a computer or a business. “No other industry in the world has participants that can get away with so much by disclaiming so much,” Heydary says.
Cold reception
But the idea of government stepping in and legislating companies to improve the security of software products sends the proverbial willies up the spines of many in the software industry. At the RSA 2005 security conference in San Francisco earlier this year, the idea of government intervention was greeted with the same enthusiasm amongst software producers that mice might show for a cat suddenly showing up at the doors to their homes.
Tiffany Jones, regional manager for government relations with Symantec Corp. in Washington, says legislation or getting the courts involved with software security issues is not something the company supports.
Jones believes companies are in fact vigorously improving the security of software products all the time. Many like Symantec also participate in organizations like Common Criteria and the National Information Assurance Partnership (NIAP) seeking to improve security and software standards in the industry.
At the same time, Jones suggests consumer pressure has done more to drive improved security practices amongst software producers than any legislative measure could possibly do.
“When I started in this industry four years ago, security was not a market driver,” Jones adds. “It was not something people looked at as a competitive advantage. Now it is.” Bruce Schneier, chief technology officer with Counterpane Internet Security Inc. in Mountain View, Calif., agrees that consumer pressure can have an effect on getting companies to improve the security of their products.
Look at how Linux has made Microsoft take security more seriously for its Windows operating systems, he suggests. But consumer pressure is not enough in many cases. At the RSA conference, Schneier pointed out to attendees that he’s been going to the show for years and continues to see the same security problems and the same exploits being used by hackers. So if the same problems persist and new ones keep cropping up, something more has to be done than simply complaining about them.
The auto example This is where legislation and regulation can have an impact by changing the economic costs of improving security. Right now, it is not in the economic best interest of software companies to improve the security of their products. Improving security costs time and money and places a company at a competitive disadvantage amongst its competitors.
This incentive is legislation that makes sure the playing field is “level” by making sure all companies conform to the legislation. Schneier gives the example of the automotive industry. Legislation made sure all the automotive manufacturers in the U.S. improved safety and fuel efficiency by mandating such measures as seatbelts, airbags and minimum gas mileage for consumer vehicles.
Because every automobile manufacturer had to participate, there was no economic liability for being the first to do so. Everybody had to conform to the legislative standards. The only liability was in not conforming. The same can go for the software industry.