Hacker attacks that exploit flaws in commercial software have caused tens of billions of dollars in damage in the past year. The Code Red worm alone is estimated to have cost enterprise users more than $2 billion.
Software companies have hidden behind user agreements that protect vendors from liability for such damages, and few victims have taken their fight to court. In addition, despite high-profile attention, efforts to federally regulate software security arent gaining much ground.
But that may be changing. Now legal experts predict that big-money lawsuits by consumers—such as those that plagued tobacco companies—are inevitable and necessary to pressure vendors for better products.
“I think where youre going to see reform come is through lawsuits. Well see [vendors] getting sued,” said Jeffrey Hunker, dean of the H. John Heinz III School of Public Policy and Management at Carnegie Mellon University, in Pittsburgh, and the former senior director of critical infrastructure at the National Security Council during the Clinton administration. “So much of our economic structure depends on computers that its unsustainable to hold software companies blameless.”
Government officials, vendors and CIOs are set to come together this spring to discuss users legal options at a conference sponsored by CMUs Software Industry Center.
Much of the debate around the responsibility of software makers thus far has centered on the possibility of government regulation in the form of a mandate to develop secure products.
For instance, the National Academy of Sciences last week released a report that called for the government to sanction vendors whose software is breached. The reports authors looked at several similar academy studies done over the past 10 years and concluded that the state of network security had deteriorated in that time.
The authors said that much of the blame lies with software vendors that produce insecure code, as well as network administrators who fail to implement security practices and readily available defenses such as firewalls. The result, they said, is that “cyber-security today is far worse than what known best practices can provide.”
Hunker, a lawyer and associate of Richard Clarke, President Bushs special adviser for cyberspace security, said federal officials are growing angry at the number of large-scale security events such as Code Red and Nimda. He said Clarke has been pushing for more government intervention in corporate security issues. Most legal and security experts agree, however, that widespread regulation would be hard to implement politically and technically.
In the meantime, software vendors are working to ensure against any efforts—public or private. Maryland and Virginia have each passed a controversial law known as the Uniform Computer Information Transactions Act, or UCITA, that guarantees vendors immunity from prosecution or civil suits in such cases. The measure is under consideration in a handful of other states but isnt likely to gain widespread acceptance, legal sources say.
Even if such a regulation were in place, security experts are skeptical about the potential effect it would have on vendors development practices. “It must be difficult to define where software vendors are liable, or it would have happened,” said Chris Wysopal, director of research and development at @Stake Inc., in Cambridge, Mass. “There needs to be some notion of what secure means … to have liability. We know nothing is 100 percent secure, but we also know that the vendors can do a lot better.”
“I believe that … filing a few big lawsuits will do more, particularly if it goes to trial and a big defendant loses, to spark an attitude adjustment,” said David Moskowitz, CTO of Productivity Solutions Inc., in Bala Cynwyd, Pa. “I dont know that legislation will fix security, per se. The prospect of government contracts tied to a demonstrated level of security … now were talking money as an incentive with lawsuits as a disincentive to continue the sloppy practice.”