A debate has ensued in Germany that IT industry should be held responsible for security breaches affecting the public.
According to this report “Leading German politicians have called for IT and telecoms equipment makers to be held liable for cyber attacks, after a failed attempt to hijack consumer router devices caused widespread disruption for Deutsche Telekom customers”.
The incident involved outages that occurred in the system due to a cyber attack.
The call for “Accountability” of IT equipment manufacturers to assume part of the risk for cyber attacks has naturally invited criticisms from the industry.
A similar question has been raised at naavi.org several times particularly on companies who sell sub standard software for Banking as well as equipment manufacturers such as ATMs.
As per ITA 2000/8 there is a concept of “Vicarious Liability” where by an “Intermediary” and a “Company” is liable for any offence committed with the use of the resources managed by the “Intermediary” or the “Company” unless “Due Diligence” is practiced.
The concept of “Due Diligence” means that every IT stake holder should take such steps as are necessary at his level to prevent cyber crimes from occurring. Otherwise it may be considered as “Abetment” by “Passive assistance”.
There is no doubt that there has to be a limit upto which this argument has to be carried but the core concept of “Liability for Negligence” is necessary to ensure that the environment is kept safe.
We often argue that the civic authorities should be held liable if there are pot holes on roads that cause accidents. We want cinema hall owners/even organizers to be jailed if fire safety has been ignored causing loss of lives, automobiles or mobiles are recalled for defects. If this is fine, there is no problem in considering a software/IT equipment vendor responsible for damages caused by the product failing some minimum expected quality aspects.
The limit to which the vendors should be subjected can be loosely defined as “If reasonable precautions are not taken”.
One of the areas where software vendors are guilty is to release software versions with known “Bugs” without proper “Documentation” when they pass on the ownership of a software to the buyer/licensee.
Software/Equipment manufactures must disclose the “Known Bugs” and also disclose and declare that “Reasonable Testing processes have been adopted” to ensure that the product is free from known bugs. If therefore a “Zero day Vulnerability” is found, there has to be a liability fixed on the vendor at least to a nominal extent.
This is part of developing “Cyber Law Compliant” products sold in a “Cyber Law Compliant Process” and must be adopted by all IT software/equipment vendors.
When cyber attacks arise due to exploitation of “back doors” deliberately left by the vendors some times for genuine reasons and the consent of the buyers are not taken for keeping them open, the liability should be boarne completely by them.
I hope that the call by German Politicians is considered as also a wake up call for Indian IT manufactures and that they initiate actions on Cyber Law Compliance to be integrated into their process without further delay. They should understand that such compliance does not end with “Reasonable Security Practice” under Section 43A of ITA 2008 and extends much beyond.