Security failure as product defect: the new wave of liability · 2019-06-17 · Einstein Motors Inc (California) adopts BravoDriveas fly‐by‐wire solution in automobiles they manufacture

Security failure as product defect: the new wave of liability

Robert Carolina, Executive DirectorInstitute for Cyber Security [email protected]; +44 7712 007 095

INSTITUTE FOR CYBER SECURITY INNOVATION


Robert Carolina

Royal HollowayUniversity of London

Executive Director,Institute for Cyber Security Innovation (2014‐ )

Law & Regulation module leader,Information Security Group, (1999‐ )

Lawyer (England & US)

Practitioner, (1991‐ ); law & regulation of ICT;law & ethics in cyber security

BA (Dayton, 1988)Juris Doctor (Georgetown, 1991)LL.M (London School of Economics, 1993)

2



Software‐related product liability

Negligence liability?

Victim must prove: duty of care (foreseeable victim) plus unreasonable conduct

3

Strict liability for defective product?

Directive 85/374

No need for victim to prove fault or failure to take due care. Only need to provide that the product lacked safety that would reasonably be expected and this lack of safety caused harm.

BUT this only applies to claims for personal injury/death and damage to non‐business property

AND BESIDES, software (alone) is not a “product”

EXCEPT, a tangible product can become “defective” as a result of flawed software



Software‐related product liability

Traditional views

This is a “safety” issue, not a “security” issue

Software‐induced product defect that causes death or personal injury is a super‐niche topic for people who manufacture aircraft

But what about the age of IoT?

Product liability law doesn’t care what causes a product to become unsafe – if it’s unsafe, then strict liability attaches

Any remotely accessible control system becomes a potential path to death or personal injury

4

Is the product “unsafe” if a security failure allows remote control of:

Semi‐autonomous vehicle?

ICS‐enabled valves at chemical refinery?

Kitchen appliances?

Home thermostat?

Is this the age of the KILLER APP?

Hypothetical story: 6 persons, 2 pieces of software, 1 car, 1 victim, all fictitious

5



Hypothetical – the story

Firefly Ltd (Freedonia) develops and supplies "OpenSesame" cryptographic authentication software package.

Bravo Bits Ltd (England) writes BravoDrive software: human‐machine middleware. Incorporates OpenSesameauthentication software.

Einstein Motors Inc (California) adopts BravoDrive as fly‐by‐wire solution in automobiles they manufacture.

Exotic Imports Ltd (England) imports Einstein Sedans from California

6

Jim Johnson (England) purchases an Einstein Sedan from Exotic Imports.

Denis Dastardly (Ruritania) exploits a flaw in OpenSesame, remotely hacks Johnson’s sedan, accidentally commands the car to swerve & crash.

Johnson suffers life‐altering injuries.

Dastardly has no money.He is hit by a bus and dies.



Hypothetical – the supply chain

7

Firefly Ltd

Bravo Bits Ltd

Einstein Motors Inc

Johnson

Exotic Imports Ltd

Dastardly

OpenSesame

BravoDrive, including OpenSesame

Sedan, inclBravoDrive & OpenSesame

Sedan, inclBravoDrive & OpenSesame



Hypothetical – the forensic export report

The vulnerability

OpenSesame source code included a subtle coding error – a single misplaced semi‐colon. This created a vulnerability in the (otherwise standard) cryptographic authentication protocol.

Firefly normally has a strong reputation for secure coding, but this Q/A programme was poorly managed.

Dastardly discovered the weakness independently. This was a zero day exploit.

8



Legal analysis – as the law exists today (June 2019)

9

If victim (Johnson)

brings a lawsuit in England against…

Negligence Analysis Strict Product Liability Analysis (EU)

Duty of care to victim

(foreseeable, proximity)

Acted unreasonably(negligently)

LiableSupply of product

Lacks reasonably expected safety

Liable

Exotic Imports YES No n/a YES ‐ car YES YES

Einstein Motors YES No n/a YES ‐ car YES YES

Bravo Bits Probably yes Probably no Probably no No ‐ software n/a n/a

Firefly Maybe Probably yes Maybe No ‐ software n/a n/a

Dastardly Who cares? He has no money!Any other person in the story, if found liable, could be jointly & severally liable for up to 100% of Johnson’s damages.



Will EU law change?

European Commission

“Evaluation of Council Directive 85/374/EEC of 25 July 1985 on the approximation of the liability for defective products”, Brussels, 2018.

“Liability for emerging digital technologies”, Brussels, 2018.

10

Digital products

Increasing reliance placed upon software and cloud services

Current project to re‐examine EU law of product strict liability to encompass these

Discussion includes software as a product, software as a service, and other cloud‐based services



Legal analysis – if the law changes re “digital products”

11

If victim (Johnson)

brings a lawsuit in England against…

Negligence Analysis Strict Product Liability Analysis (EU)

Duty of care to victim

(foreseeable, proximity)

Acted unreasonably(negligently)

LiableSupply of product

Lacks reasonably expected safety

Liable

Exotic Imports YES No n/a YES ‐ car YES YES

Einstein Motors YES No n/a YES ‐ car YES YES

Bravo Bits Probably yes Probably no Probably no YES‐software YES YES

Firefly Maybe Probably yes Maybe YES‐software YES YES

Dastardly Who cares? He has no money!Any other person in the story, if found liable, could be jointly & severally liable for up to 100% of Johnson’s damages.



Contact Details

Robert CarolinaExecutive Director,Institute for Cyber Security InnovationRoyal Holloway University of London

+447712007095

[email protected]

Copyright © R Carolina.Robert Carolina asserts all moral rights pursuant to the UK Copyright Designs and Patents Act (or any corollary legislation as appropriate)

12

Documents

Security failure as product defect: the new wave of liability · 2019-06-17 · Einstein Motors Inc (California) adopts BravoDriveas fly‐by‐wire solution in automobiles they manufacture