Information security: Who should be liable for security?

Vulnerable software is increasingly being taken advantage of by hackers. So where does responsibility lie for ensuring software is secure, and should suppliers be held liable?

Vulnerable software is increasingly being taken advantage of by hackers. So where does responsibility lie for ensuring software is secure, and should suppliers be held liable?

A survey last month of internet users by Get Safe Online found that 12% of respondents had suffered online fraud in the past year, at an average loss of £875. And the Association of Payment Clearing Services has highlighted a surge in the amount of money lost to online banking fraud. In the first half of 2006, it cost banks £23m.

Why is this happening? Because cyber crime is now driven by organised crime, and organised crime's raison d'etre is to make - or rather steal - money. And insecure software has become the perfect means of attack.

Why rob a bank in the real world when you can filch money in the virtual world from users' online accounts through Trojans and keyloggers?

Although Microsoft took a sabbatical from its monthly Patch Tuesday routine in March, Apple more than made up for it by releasing a security update that fixed 45 vulnerabilities in the Mac operating system and several third-party applications.

The security update was Apple's seventh this year, bringing its patch count to 64. Microsoft has released 16 bulletins and patched 30 vulnerabilities since the start of the year, while other suppliers which have so far had to release major patches this year include Cisco, Adobe, Google, Oracle and Computer Associates.

Bruce Schneier, chief technology officer at managed security services company BT Counterpane, has a plan to tackle this ever-present problem. He would like to see software providers made liable for the quality of their software.

Last month Schneier told the London School of Economics (LSE) that the software industry needed to follow the example of the credit card industry, which set out to help itself fight fraud and losses when courts ruled that consumers were not ultimately liable for fraudulent use of their credit cards.

Schneier believes the same approach is needed now in the software industry to help drastically improve IT security. To achieve this, he believes the ultimate economic responsibility for better software should be moved directly to software makers, who can influence the creation of more secure applications.

"If there is liability we will pay more for software, but at least we will get better software out of it," he says.

According to Schneier, today's software development system lets software suppliers sell products without any real responsibility for them once users begin working with the software.

Schneier admits that suppliers would rubbish the idea, but believes that only such a liability responsibility would drive change. "Yes, it would need regulation to make it a reality, and that is down to government. I know it will be difficult, but it will probably come down to some congressman putting down a Bill, and seeing where that leads," he says.

Schneier believes 10 factors in the IT landscape are contributing to the current state of software. And it is getting worse, not better, he suggests.

The factors are:

  • The economic value of information
  • The critical nature of networks
  • Personal information is often controlled by third parties
  • Criminals are the dominant attackers on the internet
  • Complexity is the worst enemy of security
  • Vulnerabilities are exploited faster than they can be patched
  • The sophistication of computer worms
  • Attackers are targetting the end points
  • In some cases, the end-user is the attacker
  • Regulatory pressures, for example Sarbanes-Oxley and the PCI Data ­Security Standard for retailers.

In addition, Schneier believes a number of economic factors are affecting the development of software and ultimately impacting the user.

According to Schneier there is a market for "lemons", a US term for useless products, because the seller knows a lot more about the product than the buyer. The buyer is unable to make an informed decision, and may end up making a wrong one. Another problem is the high costs involved in moving from one supplier's software program to another.

Schneier believes another problem that is overlooked is the issue of externalities. Suppliers try to balance the costs of more secure software - the extra developers needed, fewer features and longer time to market - against the costs of insecure software - the expense of patching, occasional bad press and the potential loss of sales.

However, what suppliers do not look at the is total cost of insecure software, says Schneier. In other words, they only look at what insecure software costs them and not at all the money the software product buyers are spending on security. In economic terms this is known as an externality: the cost of a decision that is borne by people other than those taking the decision.

And when it comes to riding out the bad press, says Schneier, even the suppliers come up smelling of roses. There have been so many data breaches stories in 2007 that it is no longer news.

A leading software supplier countered Schneier's comments by saying, "We are always looking at ways we can improve our communications to help customers get timely and useful information to help them manage vulnerabilities. These include security advisories, publishing incident pages, web casts, RSS feeds and syndication of our content based on feedback from customers."

Security supplier RSA says, "No operating system or application is immune from attack. One hundred per cent security is the unachievable holy grail, and there will always be those who seek to gain from that fact."

Andy Clark, chairman of the British Computer Society's Forensics Working Group, says he believes Schneier's liability comments have a degree of common sense about them, but he adds that the issue is complex.

"While it may be difficult to have general liability for a problem, I prefer the idea of making companies liable for letting a problem happen again. That is akin to the mantra that if you mess me around once, that is my problem. If you do it twice, then it is your problem. We also have a movement towards the use of open source software, so who is responsible or liable for that?"

Clark also differentiates between safety critical software and mission critical software. "Safety critical software could cost lives if it failed. Mission critical could cost businesses their future if it is at fault. If I cannot send out my invoices as a business because of a software problem, then that might kill my business," says Clark.

"One idea that might have merit is the introduction of a limited liability procedure where you could take action against a supplier for the cost of switching to another supplier's competing products. Then the original supplier has the choice of reparations and repair for the original faults - or the cost of your switch to a rival."

Daniel Dresner, research manager for new funding and research projects at the National Computing Centre and a software quality specialist, says we have reached something of a watershed. "Software quality is the victim of increased complexity. Operating systems are so complex and run on such complex hardware, that even a simple application may interact on many levels.

"For that reason, we need people to think about security from the very beginning of software development, and responsibility has to be down to good governance," says Dresner.

"When buying new software, you should identify that there is a need to do a risk assessment for that software. Risk managers get a bad deal, when their opinions really should be heeded. There are many more risks out there.

"For example, you may think that putting your laptop in your car boot would make it more secure. But now, there are sniffers that can even detect the Nicam batteries," says Dresner.

"From the point of view of the marketing people within software suppliers, there is an opportunity for a paradigm shift to consider not just bigger, faster, stronger, but also to market 'stronger security' as a differentiator."

Bruce Schneier's suggestion - not for the first time - that suppliers should be liable for the quality of their software, has prompted the suppliers to hit back, warning that such an option would only result in highly subjective, frivolous lawsuits.

They argue that civil liability actions against technology makers oversimplify the situation, because software is a product of engineering and is not, and never can be, infallible. Suppliers have also argued that lawsuits would stifle innovation and punish the wrong people, shifting the blame away from wrongdoers who attack software flaws towards the pursuit of civil liability for vulnerabilities.

Carrie Hartnell, programme manager at Intellect, the trade association for the UK hi-tech industry, says that there needs to be a better dialogue between users and developers.

"Naturally, we would not endorse software which is not fully tested, but users need to determine what processes will use software, and accordingly map how robust it needs to be to support them and how much they are willing to pay for this."

However, Schneier insists that software suppliers are in the best position to improve software security because they have the capability. Features, schedule and profitability, however, are usually far more important drivers, he says. Schneier believes software liabilities would change that, align interest with capability and improve software security.

"Today there are no real consequences for having bad security or low-quality software. But liability changes everything. Currently, there is no reason for a software company not to offer more features, more complexity, and more versions.

"Liability forces software companies to think twice before changing something."

Get Safe Online website >>

Association of Payment Clearing Services >>

DNS worm strikes Microsoft flaw >>

Information security special report: Implementing converged security >>

Bruce Schneier's website >>

British Computer Society security forum >>

David Lacey’s security blog

Comment on this article: e-mail [email protected]

Read more on IT risk management