LAS VEGAS–The push for some form of liability for vendors who sell faulty or insecure software is nearly as old as software itself. Software makers have pushed back hard against it for decades, but the day may soon come when software liability is a reality.
Bugs, defects, and security vulnerabilities are problems inherent with any piece of software, and any user who installs an application and accepts the end-user license agreement agrees that the vendor isn’t liable for damage caused by those problems. But Jeff Moss, the founder of Black Hat, says that he believes the era of software liability is on the horizon.
“I hate to say it, but I do not see a way forward without software liability,” Moss said during his opening remarks at Black Hat here Wednesday.
“It can be a dollar, it can be ten million dollars, but it’s going to happen.”
Lawmakers have been discussing the possibility of some kind of liability for software vendors for many years. The idea has resurfaced in various forms several times, but it has never taken. One of the main reasons for this is the effort that software makers have made to fight it. Industry groups and individual software vendors have resisted every effort to impose any kind of liability for defects or security flaws in their applications.
But things are changing quickly. Software now runs not just on laptops, desktops, and servers, but on planes, cars, home appliances, and many other devices. If software fails or is exploited on a laptop, that’s one thing. But if the software on an avionics package on a plane fails, it’s a far different story.
“Think about Boeing. Those planes are flying data centers now,” Moss said.
The recent demonstrations of remote attacks on the software running in cars by Charlie Miller and Chris Valasek have shown that many of the same problems that face traditional software also are present in the apps running vehicles. Recovering from an attack or a failure of the software in a vehicle may not be a simple matter.
Moss is not alone in believing that software liability may be coming soon. Jennifer Granick, a long-time defense attorney for hackers and security researchers and the director of civil liberties at Stanford University’s Center for Internet and Society, said liability needs to happen.
“I think software liability is inevitable and I also think it’s necessary,” Granick said during her Black Hat keynote Wednesday. “But it’s going to make coding more expensive. I think we’re going to do a crappy job of imposing liability, but it’s going to happen.”