Dan Geer Touts Liability Policies For Software Vulnerabilities

Vendor beware. At Black Hat, Dan Geer suggests legislation to change product liability and abandonment rules for vulnerable and unsupported software.

BLACK HAT USA -- Las Vegas -- Software vendors will probably not rejoice in some of the security policy proposals put forth by Dan Geer during his keynote Wednesday morning at the Black Hat USA conference in Las Vegas.

Some of Geer's suggestions -- all reasoned and responsibly sprinkled with caveats -- are for legal measures that would push much of the onus of security onto those who develop vulnerable software; particularly those about source code liability, "abandonment" of software code bases, and vulnerability discovery.

One trouble, Geer says, is that users have no legal recourse if shoddy coding exposes them to undue danger -- making it wholly unlike other product defects. He quoted the Code of Hammurabi, written over 3,700 years ago: "If a builder builds a house for someone, and does not construct it properly, and the house which he built falls in and kills its owner, then the builder shall be put to death."

"Today the relevant legal concept is 'product liability,'" said Geer, "and the fundamental formula is 'If you make money selling something, then you better do it well, or you will be held responsible for the trouble it causes.' For better or poorer, the only two products not covered by product liability today are religion and software, and software should not escape for much longer."

Geer suggests that software vendors be given two choices. They could allay liability by giving the user the option to say "no" to whatever software components they don't want to trust, allowing the user to disable those components. Or, said Geer, if the software vendors do not wish to provide such capability, then they must accept liability for damage done, just like manufacturers of cars or purveyors of hot coffee.

"The software houses will yell bloody murder the minute legislation like this is introduced," said Geer, "and any pundit and lobbyist they can afford will spew their dire predictions that 'This law will mean the end of computing as we know it!' To which our considered answer will be, 'Yes, please! That was exactly the idea.'"

There is also the matter of accelerating the discovery and disclosure of vulnerabilities. Geer says that the U.S. can capitalize on the fact that vulnerability discovery is now a real "job," not just a hobby, and get their hands on vulnerabilities by outspending the rest of the world.

"There is no doubt that the U.S. Government could openly corner the world vulnerability market," said Geer, "that is, we buy them all and we make them all public. Simply announce 'Show us a competing bid, and we'll give you [10 times more].' Sure, there are some who will say 'I hate Americans; I sell only to Ukrainians,' but because vulnerability finding is increasingly automation-assisted, the seller who won't sell to the Americans knows that his vulns can be rediscovered in due course by someone who will sell to the Americans who will tell everybody, thus his need to sell his product before it outdates is irresistible."

As for software that is no longer supported by the vendors, Geer suggested that code bases be subject to the same abandonment rules that apply to other possessions. If someone abandons their car, their children, their home, or other possessions, there are policies in place to transfer ownership to someone else. Geer proposes that perhaps at the point that a vendor decides that it will no longer provide security updates, that the code base should become open-source -- in other words, passing ownership of the abandoned code over to the public.

Geer presents this with the caveat that it is "the worst option, except for all others."

Geer also issued thoughts about policies regarding the right to strike back at attackers (not just defend against them), fall backs and resiliency, the right to be forgotten, Internet voting, mandatory reporting of security incidents, Net neutrality, and the convergence of cyberspace and "meatspace." Those topics will be addressed in forthcoming posts on DarkReading.

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio