Should companies be held liable for software flaws?
At an Atlantic Council event, cybersecurity experts said software liability laws could help safeguard the emerging Internet of Things.
A prototype of Goodle's own self-driving vehicle is seen during a media preview of Google's prototype autonomous vehicles in Mountain View, Calif. September 29, 2015.
Elijah Nouvelage/Reuters
With more cars and medical devices connecting to the internet, what happens if automakers and health care companies don't start prioritizing digital security?
Many cybersecurity experts worry that faulty code in the so-calledÌýInternet of Things (IoT) won't just cause systems to malfunction and freeze. Instead, they say, flaws inside connected cars or pacemakers could lead to serious injury or death.Ìý
As a result, leading digital security experts are calling on US policymakers toÌýholdÌýmanufacturers liable for software vulnerabilities in their products in an effort to prevent the bugsÌýcommonly found in smartphones and desktops from pervading the emerging IoT space.
But can that strategy work? Or will more government regulation stifle innovation?Ìý
Those were the big questions atÌýan event ÌýWednesday at the Atlantic Council in Washington. Passcode was a media partner of the event.ÌýHere are a few things we learned:Ìý
1. Everything is a computer. Act like it
To lay the legal foundation for the Digital Age, policymakers need to start wrapping their minds around the idea that we're living in an era of technology, where everything we depend on is a computer that may be connected to the internet, says cryptographer Bruce Schneier,Ìýa fellow at Harvard Law School'sÌýBerkman Klein Center for Internet and Society.
"The way to think about the world is that we’re creating technology where everything is a computer," he said. "Your smartphone is a computer that makes calls. Your car is a 100-computer network with an engine. That’s the Internet of Things."
Though the US government hasn't adopted regulations for the burgeoning space, the Obama administration last monthÌýÌýthat called on engineers to build secure features into the design of connected products. That followedÌýÌýfrom the Department of Homeland Security that said manufacturers should prioritize security features for the most harmful functions that could be breached.Ìý
But creating a legal regime that determines who's responsible for security flaws in those computers or software, Mr. Schneier says, will require the country toÌýenact consumer protectionÌýlaws thatÌýcan more effectively respond toÌýrapid changes in technology. More safety regulationÌýis needed, he added, because consumers still might buy harmful products if they tend to work well, regardless of the potential dangers to their safety.Ìý
"The market can’t fix this because neither the buyer and the seller care," he said. "Until now, we've given programmers the right to code the world that they saw fit. We need to figure out the policy."
2. Data rules everythingÌýaround you
In the era of big data, companies can measure many digital security metrics, from the cost of cyberattacks to the susceptibility of employees to phishing and other hacking tricks.ÌýBut there's still not enough data on IoT breaches, because its spread is so new,Ìýsays John Soughan, who heads up business in the cyberinsurance division at Zurich North America, a Switzerland-based insurance company.
"Right now, there’s not enough data around what are the causes of these breaches, all of the liabilities in there. That’s problematic for insurance companies, because that’s part of the market," he said. "That’s why we're supportive of efforts to collect breach data to make sure we know what the cost of that risk is."
The lack of information on data breaches is also problematic as courts begin to determine how to settle cases where consumers are harmed by internet-connected products.ÌýSince there's been few efforts to categorically track the harmful impact of faulty internet-connected products,Ìýlegal cases against manufacturers are often based on ambiguous threats, which may not be enough to get a ruling – let alone create a precedent for future cases.Ìý
What's more, addedÌýWendy Knox Everette, a legal fellow at the technology-focused law firm ZwillGen,Ìý"the amorphous threat of some future non-physical harm is not enough for a court to address right now."
3. Learn to live with risk
Even if there is a legal framework for IoT that's designed to protect consumers, people still may need to accept some risk with these types of devices, the experts said.
"We don’t want perfectly unbreakable door locks because they’d be too expensive. We choose to bear that risk," saidÌýEli Dourado, director of the Technology Policy Program at George Mason University's Mercatus Center. "You never get rid of externalities. We’re trying to get to the most efficient result – the least harm."
So to strike a balance between keeping consumers secure and enabling technology to advance, experts say, policymakers would do well to find ways to get the riskiest products off the market.Ìý
"The IoT makes people think about software liability," said Ms.ÌýEverette. "Instead of being locked inside desktop computers, [software] is now inside physical devices that can now interact with us and possibly harm us... . You can buy knives, but we no longer have lawn darts on the market. That’s a really good way to see how product liability helps you determine your risk."