‘Software Liability Is Inevitable’

LAS VEGAS–The push for some form of liability for vendors who sell faulty or insecure software is nearly as old as software itself. Software makers have pushed back hard against it for decades, but the day may soon come when software liability is a reality.

Bugs, defects, and security vulnerabilities are problems inherent with any piece of software, and any user who installs an application and accepts the end-user license agreement agrees that the vendor isn’t liable for damage caused by those problems. But Jeff Moss, the founder of Black Hat, says that he believes the era of software liability is on the horizon.

“I hate to say it, but I do not see a way forward without software liability,” Moss said during his opening remarks at Black Hat here Wednesday.

“It can be a dollar, it can be ten million dollars, but it’s going to happen.”

Lawmakers have been discussing the possibility of some kind of liability for software vendors for many years. The idea has resurfaced in various forms several times, but it has never taken. One of the main reasons for this is the effort that software makers have made to fight it. Industry groups and individual software vendors have resisted every effort to impose any kind of liability for defects or security flaws in their applications.

But things are changing quickly. Software now runs not just on laptops, desktops, and servers, but on planes, cars, home appliances, and many other devices. If software fails or is exploited on a laptop, that’s one thing. But if the software on an avionics package on a plane fails, it’s a far different story.

“Think about Boeing. Those planes are flying data centers now,” Moss said.

The recent demonstrations of remote attacks on the software running in cars by Charlie Miller and Chris Valasek have shown that many of the same problems that face traditional software also are present in the apps running vehicles. Recovering from an attack or a failure of the software in a vehicle may not be a simple matter.

Moss is not alone in believing that software liability may be coming soon. Jennifer Granick, a long-time defense attorney for hackers and security researchers and the director of civil liberties at Stanford University’s Center for Internet and Society, said liability needs to happen.

“I think software liability is inevitable and I also think it’s necessary,” Granick said during her Black Hat keynote Wednesday. “But it’s going to make coding more expensive. I think we’re going to do a crappy job of imposing liability, but it’s going to happen.”

Suggested articles

Discussion

  • Alex Cooper on

    Interesting concept. We've seen a lot of vulnerabilities, over the last few years, already be out there in the wild before they're realised as such. Are vendors likely to be liable for a software product for its entire lifetime or, in the case of products like Windows XP, will there be a point at which the vendors have to say "no more support"?
  • Mark E.S. Bernard on

    You must have been reading my campaign to raise awareness of the root-cause of CyberInsecurity because defective sofware and hardware is at the center of this problem.
  • Ft on

    I dunno. I can't see this applying to all software-- it would make amateur software development prohibitive, but perhaps some kind of liability for software which directly puts human life in danger or something makes sense (?) What would the degree of liability be? A design flaw vs. a security vulnerability are two different things, at least in the analog world-- if a lock maker makes a physical lock that can be picked, they are not typically liable if there are appropriate disclaimers. If a bridge builder makes a bridge that is subsequently blown up by terrorists, they are not generally held liable for flaws in the bridge... So to what extent should software manufacturers be made responsible/liable for malicious abuse of hostile outsiders? What if the problem is in an underlying library and not the software itself? I dunno, seems slippery slopey...

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.