CSTPR has closed May 31, 2020: Therefore, this webpage will no longer be updated. Individual projects are or may still be ongoing however. Please contact CIRES should you have any questions.
Ogmius Newsletter

Ogmius Exchange

Governmental Responses to Cybersecurity Breaches

Photo of Magnifying glassThe original development of computer software arose in an environment where threats to computer security were largely contained.  In the early days of computer programming, most users were not part of “networked systems” where their applications were exposed to external threats – be they from denial of service attacks, viruses, what have you.  The development of high speed networks and faster computer equipment has both enabled more and more of the economy to be based on the creation, transmission, storage, and processing of information and, as a consequence, raised the importance of computer security.  Not surprisingly, policymakers are taking notice of the issue.

The changing attitude toward computer (or cyber) security is likely to lead to different legal and business approaches.  The traditional cyber-culture tolerated “buggy code” as the norm; after all, there was often little harm in allowing your customers to also be your beta testers, particularly where there were both competitive and customer pressures to provide fixes in the latest patches or in new versions of the software.  But in the current environment, the massive amount of damage to intangible property – i.e., stored information and computer programs – inflicted by viruses, denial of service attacks and the like have led businesses and policymakers to approach the issue differently. 

Historically speaking, the development of the computer industry arose largely outside the shadow of tort law, which holds producers of products responsible for injuries to person or property.  This protection from legal liability reflected a number of self-reinforcing factors: damage to computer programs from security breaches often only involves money damages related to the product itself and thus is generally addressed outside the realm of tort law (under the economic loss rule), software often is sold through “shrink-wrap” contracts that disclaim any warranties for damage to the programs from security breaches, and the courts have yet to develop any clear standard of care that would have to be breached to give rise to liability.  In the wake of recent high profile attacks, however, some are beginning to ask whether software firms should be held responsible for failures to protect their users.  As Dorothy Denning, a computer science professor at Georgetown University, put it “If Firestone makes a tire with a systemic flaw, it is liable.  If MSFT produces an operating system with three systemic flaws per week, it is not liable. Something is wrong there.”

The comparison between Microsoft as a producer of computer software to Firestone as a tire manufacturer raises several fundamental questions about the role of tort law in the information technology sector.  An initial question is whether it is fair to hold Microsoft liable for the failure to design better systems up front.  The answer to this question may well turn on how one conceptualizes the nature of cybersecurity attacks:  are they more like rocks in the road that should not disrupt the operation of functional tires or are they more like snipers at the side of the road who are taking shots at your tires?  A second wrinkle, raised in a recent suit against Microsoft, is the argument that where a buyer lacks any real choice because a firm has a monopoly on certain software products, the seller (here, Microsoft) has special duties that require heightened attention to security.  This argument, if accepted, would differentiate between cases in the market for large enterprise customers, where purchasers can often make informed choices and assume risks about security, and mass market customers who often cannot make such choices.  (Over the long term, it is possible that “application providers” will sell software as a service to the mass market and differentiate from one another on, among other things, security protections.)  A third wrinkle arises from the complexity of attributing blame among the various players involved.  Modern communications networks are designed to combine software, hardware and services from a wide range of vendors and service providers in such a way that encourages interconnection and interoperability.  This creates an environment that makes pinpointing responsibility a complex and potentially inexact task.  In some cases, tort law responds to such scenarios with the “joint and several liability” doctrine, but applying that approach to the cybersecurity context might well ensnare in liability the careful firms along with the reckless ones.

The courts are likely to continue to face more and more cases seeking to hold liable software providers, Internet Service Providers, and other information technology firms who expose customers to security risks (or fail to protect them adequately against such risks).  In the meantime, however, Congress has begun to consider and, in some cases, enact certain safeguards.  One basic safeguard, used to encourage solutions to Y2K issues, is to require clear disclosure by major firms as to how they are mitigating any risks to their data and their customers.  Moreover, in specific industries, Congress has gone ahead to require certain levels of security protection – notably, for the financial services sector and the storage of health care information.  Taking this approach one step further by prescribing certain requirements, such as security assurance testing, for all software developers would parallel the regulatory strategy used in a number of other industries (including to assure automobile safety).  But imposing such requirements is not without risk, as so doing may well create undue burdens on small software developers and the open source software community.  Recognizing this possibility, it would not be unprecedented for larger firms to support such measures that would constitute barriers to entry.

One reason that action by the federal government is quite likely is that, in the absence of federal leadership, state governments are likely to step into the vacuum.  At present, some state governments have already become involved in this process, most notably by enacting legislation that addresses the general need for companies to secure consumer information and notify customers of potential breaches.  California has even taken this process a step further by specifying guidelines for companies to follow.  State governments are limited in their ability to address the entirety of computer security issues, as the interdependence of different players in this arena is a national (and indeed, an international) issue.  Recognizing how the interdependence and cooperation of different entities may leave certain security issues under-addressed, the former government cybersecurity czar has called for federal government funding to spur the development of the Internet’s core protocols as a means of upgrading its security and better guarding against cyber-attacks.  But such responses, like the enactment of legislation or the development of new judicial doctrines, are going to take time.  In the meantime, this area will continue to be in flux and beg for creative policy and business responses to an issue that is not going away.

In the automobile industry, the concerns related to products not manufactured up to par gave rise to the development of legal liability under tort law as well as governmental regulatory oversight.  The computer industry is different than the automobile in terms of its fast-changing technological environment, its intangible nature, and the fact that customers often make knowing choices about differing levels of risk and have traditionally borne the responsibility for protecting themselves against what are generally economic consequences of security failures.  But for customers who do not have the necessary information and are left vulnerable by providers of faulty products or services, the government has a legitimate role to help safeguard consumers.  Moreover, because the Internet will continue to contain security vulnerabilities, there are important reasons for the government to play a role in supporting its development.  Identifying these problems and reasons for concern does not, however, point the way to an obvious solution.  Thus, at this point, all we can conclude is that the government’s increasing concern – and the concomitant awareness of businesses – is a very healthy development and that government must strike the right balance between pressuring businesses to address the problem and not dictating particular technological approaches that could potentially thwart the development of new technologies.

Authors’ note:

This paper was part of a recent conference that brought together leaders in technology, business, and law to consider society's responses to cybersecurity threats and to work toward an integrated understanding of security.  This conference launched the Computer and Communications Security Research and Education Center (CCSC), a new interdisciplinary unit of the University of Colorado at Boulder.  This event was co-sponsored by the Silicon Flatirons Telecommunications Program.

Phil Weiser
Interdisciplinary Telecommunications &
School of Law
University of Colorado
phil.weiser@colorado.edu

Douglas C. Sicker
Interdisciplinary Telecommunications &
Department of Computer Science
University of Colorado
douglas.sicker@colorado.edu