LAS VEGAS – Jeff Moss, the founder of the Black Hat and DEF CON conferences taking place here this week, sees software liability as an increasingly urgent cybersecurity policy question but one that might take a decade to resolve.
Moss, who spoke Tuesday with Inside Cybersecurity on the sidelines of the 20th annual Black Hat gathering, also discussed how the conferences have grown and have attracted greater participation from policymakers. And he touched on lingering policy issues such as the government-tech sector stalemate over encryption technologies, suggesting that fight is a “losing battle for law enforcement.”
Moss is a consultant on IT security and serves on the Department of Homeland Security Advisory Council, and is a nonresident senior fellow at the Atlantic Council, a member of the Council on Foreign Relations and a member of the Georgetown University Law Center's cybersecurity advisory board.
Addressing the software liability issue has become something of a mission for Moss, who asks, “Why is software the only industry with no liability?”
He explained, “When you install software you sign something absolving them of liability – and that served the software industry well for three decades. But I’m not sure it will for much longer.”
He said “more liability is creeping in” as the Internet of Things brings along interconnected cars that could crash or even smart toasters that could burn down a house. “The industry can try to be proactive, but right now its head is in the sand,” he said. “But if something happens, the government will step in and act.”
The liability protection “doesn’t make sense and is not a defensible long-term thing,” Moss asserted.
Noting that the Digital Millennium Copyright Act allows manufacturers to sue researchers except where the government provides exceptions, Moss said, “The government could really define a greater good by specifying where the DMCA doesn’t apply.” However, he said, “every time the DMCA is up for renewal it’s a giant mess.”
Further, he said, “more concrete privacy legislation could help consumers and manufacturers understand where liability lies – there’s legally no expectation of privacy when data is held by a third party, but zero liability for the people holding data doesn’t seem healthy for the country.”
Moss said legislation “defining expectations for entities holding data would be helpful. Our whole economy is digital, we need to lay down the rules of the road. These are unanswered policy questions that must be resolved.”
But the debate on these issues is hung up, Moss claimed, by some tech companies’ position that any such rules would inhibit innovation – and lawmakers’ reluctance to challenge them on that point.
Moss also stressed that he wasn’t calling for “absolute liability” for software makers – “there are ways to structure liability so that it’s not all or nothing,” he said. “But if the software makers don’t regulate themselves, eventually the government will do it for them.”
The software liability issue was discussed during last year’s deliberations of former President Obama’s cybersecurity commission, but that panel didn’t include recommendations on the issue in its final report. One witness before the commission called software liability “a third-rail topic.”
Black Hat’s evolving role
“Over the years, as the community of hackers, researchers and security people has grown, there’s a need for a third-party neutral voice like the deep think-tank pool that the Pentagon goes to,” Moss said of Black Hat’s evolving role. “We haven’t really had that in cyber, it’s been an informal thing.”
Now, he said, “As hackers grow up and get real jobs, they are the people who know what’s going on, you have to involve them.”
What’s changed at Black Hat, he said, “is the government’s willingness to show up. There used to be a lot of law enforcement [at the events] but now we’re seeing the policymakers. They may see it as good politics to show up, but hopefully it’s also good policy.”
Moss added, “There’s a willingness to engage with this community, at DHS and GSA and other agencies,” he said, referring to a dialogue between government officials and the researchers, technologists and others who historically make up the Black Hat crowd. He also pointed to a growing trend of techies serving in government, saying, “This revolving door is relatively new.”
On encryption, an issue that has pitted the IT sector’s privacy and security demands against law enforcement’s demand for access to communications used by criminals and terrorists, Moss said “there is not an easy answer,” but suggested that law enforcement will find it impossible to find a successful policy answer.
“Somebody somewhere will write an encryption product that law enforcement can’t break,” he said, pointing out that a U.S. law mandating access to encrypted products would not apply to products made overseas.
“There’s never going to be resolution unless it’s mandated weakness, and in that case, the bad guys will be free to use more secure software from anywhere in the world,” Moss said.
The policy questions raised by the emergence of strong encryption technologies simply don’t lend themselves to political compromise, Moss said, despite the stated desire of various government officials – most prominently, former FBI Director James Comey – to reach some kind of deal with the tech sector.
“I don’t think you can split the baby and that’s leading to a lot of frustration among politicians and officials like Comey,” Moss said. “But you can’t argue with math.” – Charlie Mitchell (firstname.lastname@example.org)