A coalition of security experts, led by the SANS Institute, wants to do just that. No, they aren’t trying to do it through government legislation (at least, not yet), but rather by including that responsibility in contract terms. The premise is that most attacks use programming mistakes (vulnerabilities) and that the software companies should be legally liable for those mistakes.
From the consumer point of view, at first glance it seems like a good idea. Product liability is nothing new, of course – but is software different? Is it even possible to write code that can’t be exploited? Would imposing this type of liability on vendors result in too many unintended consequences, such as making software so expensive that no one would be able to afford it? Would it lead to abuse by companies and individuals that fail to practice basic security measures because, after all, if they’re attacked, they can just blame it on the software vendor? And what about open source software? Who will be held responsible for vulnerabilities when there is no vendor?
What if you continue to use old, less secure software after new versions come out? Will you still be able to hold the vendor liable for your losses? If I keep the old style latch bolts – which can be easily opened with a credit card – on my doors, and my home is burglarized, should I be able to hold the lock manufacturer and/or the homebuilder legally liable for my losses? Or is it my own fault for not upgrading to more secure deadbolts?
The other problem is determining exactly what compensation would be appropriate. Often it’s difficult or impossible to put an accurate monetary value on the losses due to a security breach. Who gets to determine that value? The one who suffered the loss? Seems like there’s a powerful incentive there to exaggerate it, just as so many insurance fraudsters claim losses far in excess of the actual damage.
Many people argue that if Toyota makes a car that has defective brakes, they’re liable for that. But unless physical injury/damage or loss of life occurs, they aren’t required to replace the car – just to fix the brakes. Isn’t that what software vendors already do when they issue updates to patch vulnerabilities? And EULA notwithstanding, if you suffer a loss due to defective software, you can still file a lawsuit against the software vendor. So would the new contract terms really change anything, anyway? It’s an interesting subject, and logical arguments can be made on both sides.