Backfitting the Safety Act

Lawmakers are looking at how to wedge new parameters into an anti-terror product liability measure to encompass growing cybersecurity concerns, but tech experts say the move would be complicated.

A House Homeland Security panel heard from experts on how a 2002 law -- the Support Anti-Terrorism by Fostering Effective Technologies Act -- could be adapted to protect companies that make cybersecurity technology and the critical infrastructure providers such as banks, electric utilities and transportation companies that use it.

The Safety Act was written to spur contractors to invent anti-terrorism products and services. Department of Homeland Security-approved products and services that get Safety Act certification would face little or no liability if the technologies failed in connection with a terrorist attack.

Panelists at the Cybersecurity, Infrastructure Protection and Security Technologies Subcommittee hearing July 28 were split on how altering the law would affect cyber-defense technology markets.

Brian E. Finch, senior fellow at the George Washington University Center for Cyber and Homeland Security, told the panel that the law should be amended to expand DHS Secretary Jeh Johnson's ability to invoke liability protections to cover acts "other than terrorism" to include cyberattacks.

"In light of those threats, I firmly believe that promoting and incentivizing the use of cybersecurity best practices and effective technologies, policies, and procedures are critical to our nation’s security. I also firmly believe that the private sector is ready and willing to adopt those best practices, technologies, policies, and procedures," he said. However, he added that the challenge "is determining which of those items are in fact 'the best' or even 'quite good.'"

Finch also noted that massive cyberattacks and the cybersecurity decisions that accompany them are inevitably followed by a "tsunami" of law suits and second-guessing. "Thus, programs that help companies determine which cybersecurity measures to adopt and will help them minimize their exposure to unnecessarily expensive and protracted litigation are desperately needed," he said.

That argument was countered by Andrea M. Matwyshyn, Microsoft Visiting Professor at the Center for Information Technology Policy at Princeton University. Rolling out blanket liability protections for certain technologies is akin to "allowing [a company’s] general counsel to select" what gets used, she said. That decision, she said, should be left to IT personnel more familiar with constantly shifting technology.

"The Safety Act’s primary feature – a grant of limited liability to companies whose products are certified by the Department of Homeland Security and to their customers – is a poor fit for stimulating improvements and incentivizing adherence to best practices in information security," she said. Allowing protections for certain products would only serve to disrupt the market. "The marketplace for information security products and services has dramatically evolved since the passage of the Safety Act," she said. "While the Safety Act’s liability limitation incentives for creation of new information security products may have been helpful in 2002, in 2015 they are unnecessary."