The Lawfare Podcast

Jim Dempsey on Standards for Software Liability

Jan 24, 2024

Jim Dempsey, Senior Policy Adviser at Stanford Cyber Policy Center, discusses the proposal for a software liability regime to shift liability onto those who should be securing their software. Topics include legal theories of liability, process-based safe harbor, certification approach, defining software liability standards, design flaws and liability, and the need for quick action in policy-making.

01:04:22

Creator website

Episode guests

Jim Dempsey

AI Summary

AI Chapters

Episode notes

Podcast summary created with Snipd AI

Quick takeaways

The proposed software liability regime suggests a rules-based approach to establish per se liability for specific flaws, incentivizing developers to eliminate them and improve software security.

To address the complexity of software, a liability regime should also cover design flaws, adopting a defects analysis approach to determine liability for flaws that may not be explicitly listed but are considered unreasonably dangerous.

Deep dives

Defining the Floor: Minimum Standard of Care for Software

The proposed liability regime for software development starts with a rules-based approach to define a floor, which sets the minimum legal standard of care for software. This floor focuses on specific product features or behaviors that should be avoided, such as default passwords, path traversal, and buffer overflow. By identifying these known weaknesses and flaws commonly exploited by attackers, liability can be attached if a product includes these flaws. The goal is to create per se liability for these specific flaws, incentivizing developers to eliminate them and improve software security.

Introduction

3min

Software Liability and the Standard of Care

24min

Exploring Standards for Software Liability

6min

Approach of Certification in Software Liability

16min

Defining Software Liability Standards and the Role of Sissa

2min

Design Flaws and Liability in Software

12min

The Need for Quick Action and Incremental Progress in Policy-Making

3min

Software liability has been dubbed the “third rail of cybersecurity policy.” But the Biden administration’s National Cybersecurity Strategy directly takes it on, seeking to shift liability onto those who should be taking reasonable precautions to secure their software.

What should a software liability regime look like? Jim Dempsey, a Senior Policy Adviser at the Stanford Cyber Policy Center, recently published a paper as part of Lawfare’s Security by Design project entitled “Standards for Software Liability: Focus on the Product for Liability, Focus on the Process for Safe Harbor,” where he offers a proposal for a software liability regime.

Lawfare Senior Editor Stephanie Pell sat down with Jim to discuss his proposal. They talked about the problem his paper is seeking to solve, what existing legal theories of liability can offer a software liability regime and where they fall short, and his three-part definition for software liability that involves a rules-based floor and a process-based safe harbor.

Support this show http://supporter.acast.com/lawfare.

Hosted on Acast. See acast.com/privacy for more information.