Who is Responsible for Cybersecurity Liability?

A growing voice in the Cybersecurity chorus since 2018 is the CISA, the Cybersecurity and Infrastructure Security Agency. Congress created this agency to identify security threats, share information and support incident response in defense of the USA’s critical infrastructures. Recently the CISA and other Federal agencies released Secure by Design principles to encourage the software industry to build security into their products rather than asking the end user to bolt on security to keep their data safe.

Building security into the software that impacts user’s daily lives sounds reasonable. Sort of like building your house on a stable and secure foundation rather than trying to prop it up with sticks once it starts leaning. However, the underlying object of the new guidelines seems to be more about liability than secure software. As released, the principles intend to move liability away from users and critical infrastructure providers to make the organization writing the software responsible for security, and breaches if they occur.

At first, this seems a legitimate ask. Software and other technology vendors have been adding security layers, mechanisms, and operating requirements for years. The bit these principles seem to be overlooking is that criminals hack software, criminals write malware, criminals intentionally break, crack, or otherwise alter software to do damage. While this is obvious to anyone working in Information Technology, it seems to be an afterthought when the intention is to make the technology vendor liable for the actions of criminals. Unfortunately, this is one reason Secure by Design, Secure by Default principles will likely be overlooked or take a decade to become reality.

While technology vendors should have some level of liability just like car manufacturers or drug makers, shifting user error prevention onto the vendor creates a level of risk that technology organizations are not ready to assume. Moreover, if they step into this new liability arena their products will become increasingly difficult or time-consuming to use. Just imagine having to overcome MFA challenges every time you start your PC, and when you login to it, and when you start your email application, and every time you click the send button, and, and, and. You get the picture. When these vendors are 100% liable for your actions, they will be forced to challenge every action with some level of authentication, untold numbers of are you sure buttons, and unknown new security mechanisms that will impact every user.

So where is the balance, where should the liability rest, and who decides? Given the CISA released principles rather than pushing Congress to enact laws, the answers remain unclear. Everyone understands the speed of Information Technology improvements contributes to hackability. So perhaps the question should be how long are users willing to wait for the next version of XYZ to ensure is it sage to use? Some drugs are tested for years before they are approved. Are users willing to wait five years for the next iOS update or banking app update? If not, that suggests users are willing to take some risks to benefit from the next new thing sooner. In doing so, users are also taking some level of risk and responsibility for security. Today, users are comfortable saying I am when the question becomes who is responsible for security?

Between today and the day that vendors do take ownership for securing their products, applying your own security practices, product, habits, and practices will be required. Hackers spend their time working to defeat technology vendor’s security, and they always will. Given the long road to un-hackable technology, finding and working with a partner who understands current security practices and realities is a good first line of defense for you and your organization.

If you’re looking for IT solutions or help with your security, contact iT1 today to learn more about our Security Risk Assessment.

AUTHOR BIO
Dr. Mike Lewis serves as Chief Information Officer, EVP of Informatics, Security & Technology for Trillium Health Resources, a managed-care organization serving more than 350,000 members in North Carolina. He earned his Doctor of Management degree from George Fox University and is a former MBA adjunct professor at Maryhurst University. Mike has worked in the IT field for more than 25 years with stints at IBM, Merisel, and Dell.