Should companies be held liable for software flaws?
With more cars and medical devices connecting to the internet, what happens if automakers and health care companies don't start prioritizing digital security?
Many cybersecurity experts worry that faulty code in the so-called听Internet of Things (IoT) won't just cause systems to malfunction and freeze. Instead, they say, flaws inside connected cars or pacemakers could lead to serious injury or death.听
As a result, leading digital security experts are calling on US policymakers to听hold听manufacturers liable for software vulnerabilities in their products in an effort to prevent the bugs听commonly found in smartphones and desktops from pervading the emerging IoT space.
But can that strategy work? Or will more government regulation stifle innovation?听
Those were the big questions at听an event 听Wednesday at the Atlantic Council in Washington. Passcode was a media partner of the event.听Here are a few things we learned:听
1. Everything is a computer. Act like it
To lay the legal foundation for the Digital Age, policymakers need to start wrapping their minds around the idea that we're living in an era of technology, where everything we depend on is a computer that may be connected to the internet, says cryptographer Bruce Schneier,听a fellow at Harvard Law School's听Berkman Klein Center for Internet and Society.
"The way to think about the world is that we鈥檙e creating technology where everything is a computer," he said. "Your smartphone is a computer that makes calls. Your car is a 100-computer network with an engine. That鈥檚 the Internet of Things."
Though the US government hasn't adopted regulations for the burgeoning space, the Obama administration last month听听that called on engineers to build secure features into the design of connected products. That followed听听from the Department of Homeland Security that said manufacturers should prioritize security features for the most harmful functions that could be breached.听
But creating a legal regime that determines who's responsible for security flaws in those computers or software, Mr. Schneier says, will require the country to听enact consumer protection听laws that听can more effectively respond to听rapid changes in technology. More safety regulation听is needed, he added, because consumers still might buy harmful products if they tend to work well, regardless of the potential dangers to their safety.听
"The market can鈥檛 fix this because neither the buyer and the seller care," he said. "Until now, we've given programmers the right to code the world that they saw fit. We need to figure out the policy."
2. Data rules everything听around you
In the era of big data, companies can measure many digital security metrics, from the cost of cyberattacks to the susceptibility of employees to phishing and other hacking tricks.听But there's still not enough data on IoT breaches, because its spread is so new,听says John Soughan, who heads up business in the cyberinsurance division at Zurich North America, a Switzerland-based insurance company.
"Right now, there鈥檚 not enough data around what are the causes of these breaches, all of the liabilities in there. That鈥檚 problematic for insurance companies, because that鈥檚 part of the market," he said. "That鈥檚 why we're supportive of efforts to collect breach data to make sure we know what the cost of that risk is."
The lack of information on data breaches is also problematic as courts begin to determine how to settle cases where consumers are harmed by internet-connected products.听Since there's been few efforts to categorically track the harmful impact of faulty internet-connected products,听legal cases against manufacturers are often based on ambiguous threats, which may not be enough to get a ruling 鈥 let alone create a precedent for future cases.听
What's more, added听Wendy Knox Everette, a legal fellow at the technology-focused law firm ZwillGen,听"the amorphous threat of some future non-physical harm is not enough for a court to address right now."
3. Learn to live with risk
Even if there is a legal framework for IoT that's designed to protect consumers, people still may need to accept some risk with these types of devices, the experts said.
"We don鈥檛 want perfectly unbreakable door locks because they鈥檇 be too expensive. We choose to bear that risk," said听Eli Dourado, director of the Technology Policy Program at George Mason University's Mercatus Center. "You never get rid of externalities. We鈥檙e trying to get to the most efficient result 鈥 the least harm."
So to strike a balance between keeping consumers secure and enabling technology to advance, experts say, policymakers would do well to find ways to get the riskiest products off the market.听
"The IoT makes people think about software liability," said Ms.听Everette. "Instead of being locked inside desktop computers, [software] is now inside physical devices that can now interact with us and possibly harm us... . You can buy knives, but we no longer have lawn darts on the market. That鈥檚 a really good way to see how product liability helps you determine your risk."
