Recently, I was consulting on the development of cyber strategies that would lead the way in developing guidance on this rapidly emerging threat.
The objective of this work was to articulate new cyber concepts, doctrine, strategies and technology solutions. While using scenario-based intelligence analysis and trans-disciplinary intelligence engineering to advance current corpus of knowledge to apply toward the development of cyber attack strategies that manage this emerging risk and several interesting observations were made. A review intelligence surrounding the cyber attackers Modus Operandi (MO) lead to an interesting question
The question was: What liability should hardware and software vendors bare for vulnerabilities in their products
Our discussions brought up the legal aspect of this issue in the context of product liability. Product liability is the area of law in which manufacturers, distributors, suppliers, retailers and others who make products available to the public are held responsible for the harm those products cause.
The claims most commonly associated with product liability are that of negligence, strict liability and breach of warranty. A product's liability claim is usually based on one or more of the following causes of action.
- Design Defects
- Manufacturing Defects
- Failure to Warn
A software vulnerability would clearly fall under the product defect cause of action
In the mid year report by IBM X-Force it stated that the overall number of vulnerabilities continued to rise as did the overall percentage of high risk vulnerabilities. Approximately 3500 software vulnerabilities were announced in the first six months of 2008 and on track to exceed the total number reported in 2007.
Given our critical infrastructure, our national security and our economy is dependent on generally available hardware and software.
Take the poll below to tell us what you think: Should hardware and software vendors be held accountable for flaws in their products that are exploited and used to gain access to and exploit the system?
[EDITOR: First answer should read software AND hardware...] Should software and hardware vendors face liabilities for their products that have security vulnerabilities that result in a security breach? ( polls)