Feds Trying to Figure Out Liability for Software Bugs
The Cyberspace Solarium Commission created a list six years ago of things the government should be doing with regard to cybersecurity policy.
The commission made 82 recommendations and each year some of them have been enacted into law, usually as part of the national defense authorization act (NDAA), a must pass bill that funds the military.
In total, about 80 percent of the recommendations have been enacted into law, which for Congress is damn near unheard of.
One item that has not been enacted into law is making software makers liable for bugs in their software. In the wake of Solar Winds and Microsoft melt downs recently, and even with the supposed interest of the Biden administration, this is one recommendation that has not moved forward.
Right now, if you read the software license agreement for virtually all software products, the maximum liability software makers accept is to give you back your money and most software vendors won’t even do that. In fact, most agreements say that they are not responsible for anything and you assume all liability, even if their software kills people.
The software industry says that it will wreck innovation if they become liable. What they mean is that software makers are going to have to spend more time and money testing their software instead of turning you into their guinea pigs with no way to hold them accountable. Consider this. Is there anything else you buy for which the seller doesn’t have some liability. Cars? Yes. TVs? Yes. Food? Yes. Pretty much everything.
Thirty years ago, when the software industry was just starting, that might have made sense, but now, with some software makers having a market cap in the high billions, maybe it does not.
There are different ideas and I think that most smart people understand that software is not going to have zero bugs.
For corporate directors there is something called the Caremark standard. It was a lawsuit that established that directors have to follow a “standard of care”. That seems to make sense for software, but how the hell do you define what that standard is when software changes by the minute.
But in light of the various attacks like the Crowdstrike meltdown last July and Microsoft Exchange attacks, maybe the time is now.
One interesting wrinkle is open source software. Since there is no “company” to hold accountable, do you hold some independent developer accountable? If you do that, the open source industry will literally disappear over night. No developer is going to risk getting sued into oblivion for something that they gave away.
Still, the status quo does not seem to be working. It will be up to the next Congress and White House to decide if now is the time and what should be done. Don’t expect anything tomorrow, though. Credit: The Record