Software Vulnerabilities and the Future of Liability Reform
Jan 22, 2004 11:56 AM PT
If you were to make up your own list of the top 10 issues likely to affect computing over the next five to 10 years, would you include liability reform in the American legal system? I think you should, even if you live, as I do, in Canada or some other country where American law doesn't apply directly. Change is coming, and that change will affect anyone who works with hardware or software made or sold by American companies.
How change will come is an open question. If the Republicans win this year's elections, liability reform probably will come through the legislative process. That got seriously started last year when Democrats in the House and Senate lined up with the American Trial Lawyers Association to block the president's attempt to cap medical liability claims while imposing some common-sense restrictions on filings.
In doing so, they presented the Republicans with a perfect wedge issue that's easy to explain, won't cost many Republican votes and is guaranteed to appeal strongly to large, traditionally Democrat, blocs such as nurses and others negatively affected by the current system. The other possibility, if the Democrats win, is that change will come through the evolution of case law.
Computers Affected Either Way
Either way, however, the computer business is going to be affected, and your relationships with suppliers, employers or customers are going to have to change with it.
Peel away the layers of the legal onion, and what you find at the heart of the issue as it affects IT is the risk-transference attendant upon using -- or failing to use -- professional best practices. Best-practice adherence offers a magical defense against liability because, hair-splitting to the contrary, professionals who follow whatever best practices are widely considered applicable under the circumstances are reasonably safe from personal liability claims, even if those best practices later turn out to be inadequate.
The question, of course, is what constitutes a best practice, and the only answer I've ever found is that a best practice is whatever an expert witness -- usually a professor or senior consultant with no actual experience in the field -- is likely to believe it to be. In practice, this usually means that best practices significantly lag behind reality and need bear no obvious relationship to good sense.
Data Center Ops
In reviewing data center operations, for example, I always solemnly raise the need to have all employees sign a copy of the organization's formal Internet use policy, not because this has the slightest impact on the behavior of porn addicts or other nits who misuse organizational resources, but because doing so protects me from liability when someone is caught.
To see how adopting majority practices transfers risk, look at the opposite case: Imagine yourself going against local majority opinion, and then ask who wears the horns when the resulting decision goes wrong. I did this once, bringing in Sybase on SPARC to resolve some issues with a couple of racks of SQL servers, only to find myself blamed for the performance problems that arose when a Wintel DBA insisted on her right to delete and remake all the indexes every day.
Basically, it's not the risk of failure that's at issue with best-practice conformance; it's the risk of being out of step that disappears when you adopt blessed practices.
One of the fundamentals of last spring's proposed liability reforms was a rebalancing of the risk transference involved with medical best practices. In that particular industry, case law has evolved a wonderful Catch-22 in which informed consent is required along with procedural best practices. But it is assumed that any patient who accepted risks -- the risks that a review team eventually describes as excessive or unnecessary -- would have made the opposite decision had the practitioner responsible done an adequate job of explaining the risks.
In medicine, therefore, any level of informed consent can be turned against the practitioner by appropriately procured expert testimony. In software, the opposite assumption is usually made -- that the user has the expertise and options needed to make a fair choice on whether or not to accept the risk transferences embedded in licensing -- but the result is equally unbalanced.
Thus last year's federal tort reform package focused on medical liability in the press releases but tried to trim off both extremes in the law: limiting liability, raising the bar for compensation and clarifying assumptions about the relative power and expertise of players in the provider-customer relationship.
If reform arrives via the legislative route, that same broad applicability should be there, although we obviously won't know for sure until well after the politicians are done with it and the first applicable rulings come in. At that time, however, it should finally be possible for someone to hold companies like Microsoft, Computer Associates and Oracle responsible for costs incurred as a direct result of software failures -- and that will dramatically change the industry.
Coming Through the Courts
Something similar seems likely to happen even if the Democrats win; it'll just come through the courts instead of the U.S. Congress as case law gets extended to establish new forms of liability for hardware and software failures.
For example, a few years ago I had several conversations with a senior member at a San Francisco law firm about starting a class action against Microsoft with respect to Code Red -- an attack that still hits my Winface.com server several times a day. The class I had in mind was the group of people who, like me, have no Microsoft licenses of any kind on site and nevertheless incur at least some costs as a direct result of weaknesses in Microsoft's products.
In the end, the firm declined the case, in part because my ability to pay doesn't stack up well against Microsoft's and in part because Microsoft could offer a strong defense in that good professional practice on their customers' part would mitigate the problem.
I think the outcome of those discussions would be different today for two reasons.
First, Microsoft's best-practices defense is now worse than useless. Back in 2001, third parties, including some not owned or controlled by Microsoft, published vulnerability information as soon as it became available. At that time, therefore, best practices for Windows administrators included checking these third-party sites for early warnings of vulnerabilities and taking counteraction well before the bulk of the attacks occurred.
Today, however, Microsoft has established far more control over the flow of information and generally only provides vulnerability information to the public well after it has developed a patch. As a result, practitioners who adopt Windows best practices as recommended by Microsoft now guarantee the bad guys time to develop, test and distribute exploit code.
Secondly, both then and now, any court will accept that a professional responsible for collecting and holding sensitive information has to adopt the best possible security practices. In 2001, you could reasonably argue that security best practices ruled out use of any Microsoft operating system produced since they stopped selling Xenix, but you couldn't win with that argument in court because most of the people you'd be talking to are technical illiterates who can be counted on to abandon fact for majority opinion on any issue of this kind.
Listening to Reason
Today, however, the positive visibility accorded Linux in the popular press -- coupled with Microsoft's negative security image -- means that most of these people are drifting toward some understanding of the issues and would therefore listen to a reasonable argument on it.
In other words, someone, real soon now, is going to make and win the argument in court that best practices in corporate computing should rule out the use of Microsoft servers and thereby make anyone who does use them liable, along with Microsoft, for the consequences of that decision.
The bottom line is simple: Whether change comes through legislation or through the creation of new case law, liability reform will come. When it does, Microsoft's freedom from liability is going to be just so much collateral damage -- and so is yours, which makes this issue one of the top 10 things likely to affect the IT industry over the next five to 10 years.
Paul Murphy, a LinuxInsider columnist, wrote and published The Unix Guide to Defenestration. Murphy is a 20-year veteran of the IT consulting industry, specializing in Unix and Unix-related management issues.