Modern field guide to security and privacy

Should companies be held liable for software flaws?

At an Atlantic Council event, cybersecurity experts said software liability laws could help safeguard the emerging Internet of Things.

Elijah Nouvelage/Reuters
A prototype of Goodle's own self-driving vehicle is seen during a media preview of Google's prototype autonomous vehicles in Mountain View, Calif. September 29, 2015.

With more cars and medical devices connecting to the internet, what happens if automakers and health care companies don't start prioritizing digital security?

Many cybersecurity experts worry that faulty code in the so-called Internet of Things (IoT) won't just cause systems to malfunction and freeze. Instead, they say, flaws inside connected cars or pacemakers could lead to serious injury or death. 

As a result, leading digital security experts are calling on US policymakers to hold manufacturers liable for software vulnerabilities in their products in an effort to prevent the bugs commonly found in smartphones and desktops from pervading the emerging IoT space.

But can that strategy work? Or will more government regulation stifle innovation? 

Those were the big questions at an event  Wednesday at the Atlantic Council in Washington. Passcode was a media partner of the event. Here are a few things we learned: 

1. Everything is a computer. Act like it

To lay the legal foundation for the Digital Age, policymakers need to start wrapping their minds around the idea that we're living in an era of technology, where everything we depend on is a computer that may be connected to the internet, says cryptographer Bruce Schneier, a fellow at Harvard Law School's Berkman Klein Center for Internet and Society.

"The way to think about the world is that we’re creating technology where everything is a computer," he said. "Your smartphone is a computer that makes calls. Your car is a 100-computer network with an engine. That’s the Internet of Things."

Though the US government hasn't adopted regulations for the burgeoning space, the Obama administration last month released guidelines for IoT devices that called on engineers to build secure features into the design of connected products. That followed a similar strategy from the Department of Homeland Security that said manufacturers should prioritize security features for the most harmful functions that could be breached. 

But creating a legal regime that determines who's responsible for security flaws in those computers or software, Mr. Schneier says, will require the country to enact consumer protection laws that can more effectively respond to rapid changes in technology. More safety regulation is needed, he added, because consumers still might buy harmful products if they tend to work well, regardless of the potential dangers to their safety. 

"The market can’t fix this because neither the buyer and the seller care," he said. "Until now, we've given programmers the right to code the world that they saw fit. We need to figure out the policy."

2. Data rules everything around you

In the era of big data, companies can measure many digital security metrics, from the cost of cyberattacks to the susceptibility of employees to phishing and other hacking tricks. But there's still not enough data on IoT breaches, because its spread is so new, says John Soughan, who heads up business in the cyberinsurance division at Zurich North America, a Switzerland-based insurance company.

"Right now, there’s not enough data around what are the causes of these breaches, all of the liabilities in there. That’s problematic for insurance companies, because that’s part of the market," he said. "That’s why we're supportive of efforts to collect breach data to make sure we know what the cost of that risk is."

The lack of information on data breaches is also problematic as courts begin to determine how to settle cases where consumers are harmed by internet-connected products. Since there's been few efforts to categorically track the harmful impact of faulty internet-connected products, legal cases against manufacturers are often based on ambiguous threats, which may not be enough to get a ruling – let alone create a precedent for future cases. 

What's more, added Wendy Knox Everette, a legal fellow at the technology-focused law firm ZwillGen, "the amorphous threat of some future non-physical harm is not enough for a court to address right now."

3. Learn to live with risk

Even if there is a legal framework for IoT that's designed to protect consumers, people still may need to accept some risk with these types of devices, the experts said.

"We don’t want perfectly unbreakable door locks because they’d be too expensive. We choose to bear that risk," said Eli Dourado, director of the Technology Policy Program at George Mason University's Mercatus Center. "You never get rid of externalities. We’re trying to get to the most efficient result – the least harm."

So to strike a balance between keeping consumers secure and enabling technology to advance, experts say, policymakers would do well to find ways to get the riskiest products off the market. 

"The IoT makes people think about software liability," said Ms. Everette. "Instead of being locked inside desktop computers, [software] is now inside physical devices that can now interact with us and possibly harm us... . You can buy knives, but we no longer have lawn darts on the market. That’s a really good way to see how product liability helps you determine your risk."

You've read  of  free articles. Subscribe to continue.
Real news can be honest, hopeful, credible, constructive.
What is the Monitor difference? Tackling the tough headlines – with humanity. Listening to sources – with respect. Seeing the story that others are missing by reporting what so often gets overlooked: the values that connect us. That’s Monitor reporting – news that changes how you see the world.

Dear Reader,

About a year ago, I happened upon this statement about the Monitor in the Harvard Business Review – under the charming heading of “do things that don’t interest you”:

“Many things that end up” being meaningful, writes social scientist Joseph Grenny, “have come from conference workshops, articles, or online videos that began as a chore and ended with an insight. My work in Kenya, for example, was heavily influenced by a Christian Science Monitor article I had forced myself to read 10 years earlier. Sometimes, we call things ‘boring’ simply because they lie outside the box we are currently in.”

If you were to come up with a punchline to a joke about the Monitor, that would probably be it. We’re seen as being global, fair, insightful, and perhaps a bit too earnest. We’re the bran muffin of journalism.

But you know what? We change lives. And I’m going to argue that we change lives precisely because we force open that too-small box that most human beings think they live in.

The Monitor is a peculiar little publication that’s hard for the world to figure out. We’re run by a church, but we’re not only for church members and we’re not about converting people. We’re known as being fair even as the world becomes as polarized as at any time since the newspaper’s founding in 1908.

We have a mission beyond circulation, we want to bridge divides. We’re about kicking down the door of thought everywhere and saying, “You are bigger and more capable than you realize. And we can prove it.”

If you’re looking for bran muffin journalism, you can subscribe to the Monitor for $15. You’ll get the Monitor Weekly magazine, the Monitor Daily email, and unlimited access to

QR Code to Should companies be held liable for software flaws?
Read this article in
QR Code to Subscription page
Start your subscription today