I initially assumed that an upcoming RSA conference keynote panel debating liability would target negligence on the part of companies to properly maintain their computer systems. I soon found out that the focus of the debate is intended to be, "Should software vendors be liable for writing insecure applications?" In an academic spirit, it has the potential to be a lively debate. For the real world, it will likely be a pretty pointless exercise except maybe for vendor bashers to blow off some steam. At best, this argument is about a decade too late.
The question is a good one, though, in theory. Isn't it reasonable to hold vendors accountable for writing software that opens up their clients to major losses? Software bugs, like those that enabled Slammer and Blaster, clearly cause businesses to lose millions of dollars. The exploitation of such bugs took down airlines, banks and organizations around the world. If automobile manufacturers can be held liable for faulty designs in cars and doctors can be held liable for malpractice, shouldn't software vendors be subject to similar penalties?
The reality of the situation is far different than most analogies. Since the beginning of commercial applications, software licensing agreements, that most people unknowingly agree to when they open up the installation media, state the vendor specifically assumes no liability whatsoever for their products. Basically, vendors state that if something goes wrong with their product, any
Frankly, businesses and the general public have allowed this situation to degenerate to this point. Since the first software applications and operating systems were purchased, few people told vendors that a base level of security was key to their purchasing decisions.
Vendors have given us what we asked for. Over the years though, vendors have generally improved their development practices. Microsoft, perhaps the largest cause for rallying by the pro-liability side, has drastically improved the security of its software. Even if you accept that there should be such liability, you have to prove that a vendor's whole development process is faulty, not merely that a vulnerability exists. There will never, ever be perfectly written code, and there will always be bugs. Nothing, including holding vendors liable, will ever make bugs disappear. Even the most ardent Microsoft bashers will have to agree that it currently has one of the most robust secure development programs in place. If you believe Microsoft is the poster child for insecure code, you have to concede that by any standard, it is one of the companies least likely to be found liable.
The irony is that software vendors will likely be the best protected from liability lawsuits. All major studies in the field conclude that most successful security compromises result from otherwise secure software being improperly configured or maintained. Perhaps the biggest source of software bugs these days is due to software that is designed in-house.
For my book, Spies Among Us, I interviewed Alexey Ivanov, who was convicted of extorting companies around the world. While he regularly exploited vulnerabilities due to poor maintenance procedures, the most powerful vulnerabilities that he found came from homegrown software. This software can be written either by internal developers or by outside contractors. These groups have much more insecure development processes than just about any major software vendor. It is much more likely that the first software liability lawsuits will target these developers, rather than Microsoft.
Homegrown software has the benefit of security through obscurity, since attackers first have to realize that there is custom code, and then study that code to find the vulnerabilities. Contrast this with Windows, which can be easily detected and is widely used. Luckily for most companies, few people are as skilled as Ivanov in identifying and exploiting home grown vulnerabilities. However, security through obscurity will eventually fail.
I believe the world would be a better place now if liability legislation had been enacted a decade ago. Instead, we are playing catch up. Today, though, debates on the issue are about as useful as a "Kerry for President" bumper sticker. On the bright side, the debate will be more interesting than the typical RSA keynote vendor pitches. I do predict that a great irony of the conference will be that this debate, which revolves around Microsoft, will generate less than a quarter of the media attention that Bill Gate's RSA keynote will.
About the author
Ira Winkler, CISSP, CISM, has almost 20 years of experience in the intelligence and security fields and has consulted to many of the largest corporations in the world. He is also author of the forthcoming book, Spies Among Us.