Upload
others
View
0
Download
0
Embed Size (px)
Citation preview
Security failure as product defect: the new wave of liability
Robert Carolina, Executive DirectorInstitute for Cyber Security [email protected]; +44 7712 007 095
INSTITUTE FOR CYBER SECURITY INNOVATION
INSTITUTE FOR CYBER SECURITY INNOVATION
Robert Carolina
Royal HollowayUniversity of London
Executive Director,Institute for Cyber Security Innovation (2014‐ )
Law & Regulation module leader,Information Security Group, (1999‐ )
Lawyer (England & US)
Practitioner, (1991‐ ); law & regulation of ICT;law & ethics in cyber security
BA (Dayton, 1988)Juris Doctor (Georgetown, 1991)LL.M (London School of Economics, 1993)
2
INSTITUTE FOR CYBER SECURITY INNOVATION
INSTITUTE FOR CYBER SECURITY INNOVATION
Software‐related product liability
Negligence liability?
Victim must prove: duty of care (foreseeable victim) plus unreasonable conduct
3
Strict liability for defective product?
Directive 85/374
No need for victim to prove fault or failure to take due care. Only need to provide that the product lacked safety that would reasonably be expected and this lack of safety caused harm.
BUT this only applies to claims for personal injury/death and damage to non‐business property
AND BESIDES, software (alone) is not a “product”
EXCEPT, a tangible product can become “defective” as a result of flawed software
INSTITUTE FOR CYBER SECURITY INNOVATION
INSTITUTE FOR CYBER SECURITY INNOVATION
Software‐related product liability
Traditional views
This is a “safety” issue, not a “security” issue
Software‐induced product defect that causes death or personal injury is a super‐niche topic for people who manufacture aircraft
But what about the age of IoT?
Product liability law doesn’t care what causes a product to become unsafe – if it’s unsafe, then strict liability attaches
Any remotely accessible control system becomes a potential path to death or personal injury
4
Is the product “unsafe” if a security failure allows remote control of:
Semi‐autonomous vehicle?
ICS‐enabled valves at chemical refinery?
Kitchen appliances?
Home thermostat?
Is this the age of the KILLER APP?
Hypothetical story: 6 persons, 2 pieces of software, 1 car, 1 victim, all fictitious
5
INSTITUTE FOR CYBER SECURITY INNOVATION
INSTITUTE FOR CYBER SECURITY INNOVATION
Hypothetical – the story
Firefly Ltd (Freedonia) develops and supplies "OpenSesame" cryptographic authentication software package.
Bravo Bits Ltd (England) writes BravoDrive software: human‐machine middleware. Incorporates OpenSesameauthentication software.
Einstein Motors Inc (California) adopts BravoDrive as fly‐by‐wire solution in automobiles they manufacture.
Exotic Imports Ltd (England) imports Einstein Sedans from California
6
Jim Johnson (England) purchases an Einstein Sedan from Exotic Imports.
Denis Dastardly (Ruritania) exploits a flaw in OpenSesame, remotely hacks Johnson’s sedan, accidentally commands the car to swerve & crash.
Johnson suffers life‐altering injuries.
Dastardly has no money.He is hit by a bus and dies.
INSTITUTE FOR CYBER SECURITY INNOVATION
INSTITUTE FOR CYBER SECURITY INNOVATION
Hypothetical – the supply chain
7
Firefly Ltd
Bravo Bits Ltd
Einstein Motors Inc
Johnson
Exotic Imports Ltd
Dastardly
OpenSesame
BravoDrive, including OpenSesame
Sedan, inclBravoDrive & OpenSesame
Sedan, inclBravoDrive & OpenSesame
INSTITUTE FOR CYBER SECURITY INNOVATION
INSTITUTE FOR CYBER SECURITY INNOVATION
Hypothetical – the forensic export report
The vulnerability
OpenSesame source code included a subtle coding error – a single misplaced semi‐colon. This created a vulnerability in the (otherwise standard) cryptographic authentication protocol.
Firefly normally has a strong reputation for secure coding, but this Q/A programme was poorly managed.
Dastardly discovered the weakness independently. This was a zero day exploit.
8
INSTITUTE FOR CYBER SECURITY INNOVATION
INSTITUTE FOR CYBER SECURITY INNOVATION
Legal analysis – as the law exists today (June 2019)
9
If victim (Johnson)
brings a lawsuit in England against…
Negligence Analysis Strict Product Liability Analysis (EU)
Duty of care to victim
(foreseeable, proximity)
Acted unreasonably(negligently)
LiableSupply of product
Lacks reasonably expected safety
Liable
Exotic Imports YES No n/a YES ‐ car YES YES
Einstein Motors YES No n/a YES ‐ car YES YES
Bravo Bits Probably yes Probably no Probably no No ‐ software n/a n/a
Firefly Maybe Probably yes Maybe No ‐ software n/a n/a
Dastardly Who cares? He has no money!Any other person in the story, if found liable, could be jointly & severally liable for up to 100% of Johnson’s damages.
INSTITUTE FOR CYBER SECURITY INNOVATION
INSTITUTE FOR CYBER SECURITY INNOVATION
Will EU law change?
European Commission
“Evaluation of Council Directive 85/374/EEC of 25 July 1985 on the approximation of the liability for defective products”, Brussels, 2018.
“Liability for emerging digital technologies”, Brussels, 2018.
10
Digital products
Increasing reliance placed upon software and cloud services
Current project to re‐examine EU law of product strict liability to encompass these
Discussion includes software as a product, software as a service, and other cloud‐based services
INSTITUTE FOR CYBER SECURITY INNOVATION
INSTITUTE FOR CYBER SECURITY INNOVATION
Legal analysis – if the law changes re “digital products”
11
If victim (Johnson)
brings a lawsuit in England against…
Negligence Analysis Strict Product Liability Analysis (EU)
Duty of care to victim
(foreseeable, proximity)
Acted unreasonably(negligently)
LiableSupply of product
Lacks reasonably expected safety
Liable
Exotic Imports YES No n/a YES ‐ car YES YES
Einstein Motors YES No n/a YES ‐ car YES YES
Bravo Bits Probably yes Probably no Probably no YES‐software YES YES
Firefly Maybe Probably yes Maybe YES‐software YES YES
Dastardly Who cares? He has no money!Any other person in the story, if found liable, could be jointly & severally liable for up to 100% of Johnson’s damages.
INSTITUTE FOR CYBER SECURITY INNOVATION
INSTITUTE FOR CYBER SECURITY INNOVATION
Contact Details
Robert CarolinaExecutive Director,Institute for Cyber Security InnovationRoyal Holloway University of London
+447712007095
Copyright © R Carolina.Robert Carolina asserts all moral rights pursuant to the UK Copyright Designs and Patents Act (or any corollary legislation as appropriate)
12