In February 2018, France turned up the conversation on software liability for manufacturers who place known defective software components in their products. But, they were not the first in the world to do this.
As of 2019, this global conversation has evolved further, as we continue to advocate for the use of a software bill of materials. My insights on this global conversation below - and stay tuned for the release of our 2019 State of the Supply Chain Report, which will shed more light on where current liability and regulations stand.
According to Lukasz Olejnik, law makers in France just suggested a desire to "put the security liability in hands of product suppliers. In other words, making companies responsible for the security of products they put on the market - for as long as the products are commercially available."
He goes on to say, "The strategy then mentions that one of the solutions could be to release source code and documentation after an end of support date. The strategy itself mentions taking this discussion to the international level. This will be interesting." You betcha, Lukasz.
The need for improved cyber hygiene in the UK reached new heights in 2017 following large scale ransomware attacks on its nation's hospital system and an increased focus on software liability. The U.K.'s National Cyber Security Strategy 2016 - 2021 report remarked, "Businesses and organizations decide on where and how to invest in cyber security based on a cost-benefit assessment, but they are ultimately liable for the security of their data and systems. Cyber attacks are not necessarily sophisticated or inevitable and are often the result of exploited – but easily rectifiable and, often, preventable – vulnerabilities. In most cases, it continues to be the vulnerability of the victim, rather than the ingenuity of the attacker, that is the deciding factor in the success of a cyber attack."
Shedding a spotlight on the cyber hygiene and software liability, Britain’s Information Commissioner's Office (ICO) -- the country's data regulator, said a hacker exploited a well-known security flaw on a Gloucester City Council website months after the vulnerability had been widely reported on and updated component versions had been made available. The ICO fined the Gloucester City Council £100,000 in June 2017 for not preventing a cyber attack exploiting the OpenSSL Heartbleed vulnerability.
In August 2017, U.S. Senator's Mark R. Warner (D-VA) and Cory Gardner (R-CO), co-chairs of the Senate Cybersecurity Caucus, along with Sens. Ron Wyden (D-WA) and Steve Daines (R-MT) introduced bipartisan legislation called the Internet of Things Cybersecurity Improvement Act of 2017.
According to a fact sheet released at the time, "While Internet of Things (IoT) devices and the data they transmit present enormous benefits to consumers, the relative insecurity of many devices presents enormous challenges. This legislation is aimed at addressing the market failure by establishing minimum security requirements for federal procurements of connected devices."
The proposed legislation requires vendor commitments:
To ensure devices don't contain known security vulnerabilities when shipped
To ensure proper disclosure of new security vulnerabilities discovered within their devices
To prepare remediation plans for any IoT device where known vulnerabilities have been discovered
While the legislation is clearly aimed at consumer protections and privacy, it also focuses on quality, safety and regulatory standards applied to every other major manufacturing industry (thou shall not ship products with known defects). The legislation specifically calls for vendors selling IoT devices "to provide written certification that the device does not contain, at the time of submitting the proposal, any hardware, software, or firmware component with any known security vulnerabilities or defects."
When the innovation race is being run without proper oversight, getting to the finish line safely will require greater (and faster) care. That’s set to be a major challenge for organizations developing software under the forthcoming EU General Data Protection Regulation (GDPR) in May 2018.
Article 32 of the GDPR states that organizations must "implement appropriate technical and organizational measures" to "ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services." When combined with Article 25, which mandates that data protection measures be implemented "by design and by default," it's clear that privacy and security must become ingrained in every element of IT infrastructure.
If you fail to follow these rules and known software vulnerabilities end up inadvertently helping hackers steal sensitive consumer data, you could be on the hook for seriously big fines: up to €20 million, or 4% of global annual turnover – the greater of the two.
In July 2017, a consumer advocacy group in Germany has filed a law suit against a retailer in Cologne that sold an inexpensive smartphone made by Mobistel. The Mobistel model Cynus T6 was sold in Media Market stores for just 99 euros. Sounds like a great deal, right? Not so much. You see, the phone's software came with 15 critical and known security vulnerabilities which were not disclosed to the consumer at the time of purchase.
Instead, these security flaws were later identified by investigators from the Federal Office for Information Security (BSI). Unfortunately for Mobistel and Media Market, consumer advocacy groups tend to fight back when manufacturers and retailers sell products to consumers without disclosing "essential information" such as known security defects in a smartphone.
Although the complaint is at an early stage, it points to the possibility that companies manufacturing software applications could be held liable for selling defective products to consumers — in exactly the same way that auto makers have long been held liable for defective parts in cars.
Think again. According to Sonatype's 2017 State of the Software Supply Chain Report, 80 - 90% of a modern application is now assembled from open source and third-party components. The report goes on to say, "it is incumbent upon development organizations to practice good hygiene when consuming open source components. Teams with suboptimal hygiene inevitably consume open source components with critical vulnerabilities. Last year, 5.5% (1 in 18) components downloaded from internet-based open source repositories contained known security vulnerabilities."
What does this mean for you? If you have not been paying attention, the chance that software your organization is building contains a known software vulnerability is nearly 100%.
Organizations failing to manage software supply chains, who are unwittingly releasing vulnerable applications into production, will face increased liability due to gross negligence.
Are you prepared?
Note: Sonatype offers a free service called "Sonatype Vulnerability Scanner" to help you determine what components in your software have known security vulnerabilities.