Category Archives: cybersecurity

General Cybersecurity topics

Interested in liability protections? Learn about the Safety Act.

The “Support Anti-terrorism by Fostering Effective Technologies Act of 2002 or Safety Act (no, I don’t know where the “Y” came from) seems to have flown under the radar for the past 15 years with few buyers or sellers of cybersecurity technologies taking advantage of the Act and its liability protections.

Passed in the wake of the terrorists attacks on September 11, 2001, the Act’s stated intent is to incentivize the development and deployment of Qualified Anti-Terrorism Technologies (QATT), including cybersecurity technologies, in a couple very specific ways.

First, the Act limits the Seller of a QATT’s financial liability to an amount determined by the Office of SAFETY Act within the Department of Homeland Security.  In exchange for carrying the required insurance, the seller’s liability is limited to the amount of that insurance (6 CFR Part §25.7(a)).  Additionally, no punitive, exemplary (§25.7(b)(1)), or noneconomic damages, “unless the plaintiff suffered physical harm” are available to the plaintiff (§25.7(b)(2)).

This is all great news for the Seller of a QATT, but what about their customers?  Section 25.7(d) extends these liability protections downstream:

“There shall exist only one cause of action for loss of property, personal injury, or death for performance or nonperformance of the Seller’s Qualified Anti-Terrorism Technology in relation to an Act of Terrorism. Such cause of action may be brought only against the Seller of the Qualified Anti-Terrorism Technology and may not be brought against the buyers, the buyers’ contractors, or downstream users of the Technology, the Seller’s suppliers or contractors, or any other person or entity. In addition, such cause of action must be brought in the appropriate district court of the United States.”

So putting it all together, any cause of action resulting from an Act of Terrorism regarding a QATT has exclusive federal jurisdiction, has a cap to awards, cannot include punitive, exemplary, or noneconomic (with exceptions) damages, and can only be brought against the Seller, not their subcontractors, suppliers or buyers.

What is an Act of Terrorism?  The determination of an Act of Terrorism is left to the Secretary of Defense (or their designee), but the requirements are that the Act:

  1. Is unlawful;
  2. causes harm; and
  3. uses methods designed or intended to cause mass destruction.

There is no requirement that the Act of Terrorism have a political basis.  Many attacks against public and private sector enterprises could fall under this umbrella.

Of course, this is a very high-level overview of a 10 page regulation, but with so many benefits for themselves and their customers, companies are tripping over themselves to get to the Office of Safety Act right?

Actually, according to the Approved Awards Search site only around a dozen companies have earned awards for cybersecurity related technologies.  In a world where over 300 vendors exhibited at the most recent BlackHat conference, it would seem that the ability to offer your customers any level of liability protection would make a great differentiator.

 

WOW! It’s been a while

It has been way to long since I’ve posted anything here.  For the diligent, thank you for sticking with me.  I’m back on the train and will get back to regular posts.

My practice has been picking up, so I’ve been a bit busy.  For those that don’t know, my legal practice is centered around cybersecurity issues.  Primarily:

  • Mergers and Acquisitions diligence
  • Risk Assessment
  • Security and privacy policy creation and review
  • Breach planning and response
  • Cyber-insurance
  • PCI-DSS, HIPAA HITECH, GDPR analysis and review
  • Negotiating Technology Agreements
  • Terms of Use
  • End User License Agreements
  • Helping startups address security issues
  • IT Counseling
  • Calling out Security “snake oil” salespeople

It is a fun and interesting way to spend my days.  I get to play with all the areas of my firm’s practices, I get to meet cool and interesting people, and I get to solve problems.

There is a great essay from Eric S. Raymond called “How to Become a Hacker“.  It is one of my favorite pieces of writing on what hackers are and the ethos.  I need to reread it every year or so to remind me that there are people like me and how I need to focus my attention.  Everyone should read the essay. The 5 attitudes ESR calls out, that have become my mantras are:

1. The world is full of fascinating problems waiting to be solved.

2. No problem should ever have to be solved twice.

3. Boredom and drudgery are evil.

4. Freedom is good.

5. Attitude is no substitute for competence.

My practice really does let me find “fascinating problems waiting to be solved” and I feel really enthused every time I get to find that solution.

Anyway, more to come.

Bills of the 85th session

Now that the 85th Texas legislative session is over, here is a list of the cybersecurity and privacy bill that made it through.  For the complete list of the bills I tracked this session, click here.

House Bills

Bill Author Caption Stage Notes
HB8 Capriglione Relating to cybersecurity for state agency information resources. Effective 9/1/2017 A significant bill affecting multiple agencies. Requires all security incidents to be report to the Department of Information Resources (DIR) within 48 hours of detection. Also includes a provision for the Sunset Commission to include cybersecurity in their review of state agencies. Additionally directs DIR to conduct exercises and to address duplication of efforts within state agencies. Well worth reading the full bill.
HB9 Capriglione Relating to cybercrime ; creating criminal offenses. Effective 9/1/2017 Amends the Penal Code to include criminal offenses for malware and ransomware, among other cybercrimes.
HB1278 Dutton Relating to availability of Previous personal information of certain current and former prosecutors. Effective immediately Excepts the personal information of district attorneys, criminal district attorneys and municipal attorneys from public disclosure.
HB1861 Elkins Relating to the confidentiality of certain information related to a computer security incident. Effective immediately Adds a provision to §552 (public information act) that excepts information related to security incident information.
HB2087 VanDeaver Relating to restricting the use of covered information, including student personally identifiable information, by an operator of a website, online service, online application, or mobile application for a school purpose. Effective 9/1/2017 An interesting bill targeted at restricting the use of student’s profiles gathered by online services. As many of these services are nationwide, it would be interesting to see this bill in action

Senate Bills

Bill Author Caption Stage Notes
SB42 Zaffirni Relating to the security of courts and judges in the state. Effective on 9/1/17 Excepts disclosure of personal information of judges and their spouses from disclosure.
SB179 Menéndez Relating to student harassment, bullying, cyberbullying, injury to or death of a minor; creating a criminal offense. Effective on 9/1/17 David’s Law
SB532 Nelson Relating to reports on and purchase of information technology by state agencies. Effective on 9/1/17 One to keep an eye on. The bill directs agencies to provide information to the Department of Information Resources about their security programs and risks. DIR must provide a public analysis of the risks and plans.  Also has some language about cloud computing and state agencies.
SB564 Campbell Relating to the applicability of open meetings requirements to certain meetings of a governing body relating to information technology security practices. Effective on 9/1/17 Expands (currently only applies to the Department of Information Resources) an exception to open meetings requirements to allow for closed meetings of governmental bodies to discuss security assessments, network security information, or other security issues.
SB705 Birdwell Relating to an exception from disclosure under the public information law for certain personal information of an applicant for an appointment by the governor. Effective immediately Excepts the personal contact information of persons applying for appointment by the governor or the senate from public disclosure under the PIA.
SB843 Perry Relating to disclosure and use of certain information regarding the Crime Victims’ Compensation Act. Effective on 9/1/17 Prohibits the release of applications for compensation
SB1910 Zaffirini Relating to state agency information security plans, information technology employees, and online and mobile applications. Effective on 9/1/17  Requires each state agency to submit a security plan to the DIR.  Also calls out that if an agency has a CISO, that CISO should report outside of the IT department!!! 🙂

We have to do better: Pacemaker security

Last week Billy Rios and Jonathan Butts published a research on the security of pacemakers.  In all they identified over 8000 vulnerabilities in third-party components within the subsystems of 4 major vendors’ physician programming and home monitoring devices.

These vulnerabilities exist primarily because vendors are able to cut development time by using commonly available libraries.  While the libraries may be considered secure when initially deployed, over time new vulnerabilities are discovered.  Unfortunately the patches for these vulnerabilities are not uniformly applied.

This is a common problem with embedded devices, internet-of-things things, and industrial control systems.  The use of public libraries makes sense to get a product to market, but many vendors don’t account for the update and patch process.

Additionally, as I’ve written about before, many vendors still use hardcoded or backdoor passwords.  The researches have been able to verify hardcoded credentials in three of the four devices tested.

We have to demand better from the vendors selling critical information technology, whether it is an industrial control system or medical equipment.  Simple vulnerabilities like insecure libraries, the inability to patch, and hardcoded credentials must be addressed by vendors.