SAFETY Act liability shield starts showing cracks

This week, Salted Hash has examined the Department of Homeland Security's (DHS) SAFETY Act, and FireEye's promise to customers that their certification under the act provides them protection from lawsuits or claims alleging that the products failed to prevent an attack.

Overall, comments from the security community on the matter have been less than favorable. It's understood that most of the backlash centers on the fact that liability protections under the act afforded to FireEye customers aren't exactly clear; and in some cases look as if they're rewarding organizations for check-box security initiatives, which often do more harm than good.

Moreover, the backlash has also centered on regulatory capture and the fact that FireEye is the only pure InfoSec vendor to see certification and designation under the act as a Qualified Anti-Terrorism Technology (QATT) and certified as an approved product for Homeland Security.

As mentioned yesterday, such an award is viewed as a move that could stifle innovation and competition in the security industry. Yet, while FireEye is currently the only pure-InfoSec vendor on the SAFETY Act list, Salted Hash has heard from two other vendors who are considering it. Both declined to comment for this article.

Customers using FireEye's Multi-Vector Virtual Execution engine and Dynamic Threat Intelligence platform will see "potential savings on both insurance and legal expenses" due to the protections afforded by the SAFETY Act, FireEye's CEO, Dave DeWalt said in a recent earnings call.

One security expert, speaking about the liability protections offered to buyers, noted that they've "yet to be tested in court."

"Testing the SAFETY Act in court will be like testing cyber insurance in court. In fact most insurance cases that have gone to court haven't fared well. There are some real questions surrounding this program and the liabilities it can actually provide."

For example, when it comes to the attacks that would trigger SAFETY Act protections, how does one speak to intent?

Do the attacks in question have to be terrorism as the public understands it or as the SAFETY Act defines it? Do nation-state attacks count, if so how exactly? Does the organization get the liability protection from a single product or does their whole security program need to have SAFETY Act products?

These questions remain unanswered, and many of them will only see answers after a judge as made a decision.

Another question asked by readers this week centers on configuration changes and installation procedures. Salted Hash looked to FireEye's outside counsel, Brian Finch, for answers.

Q: What happens to the liability if [the customer doesn't] implement or configure the product correctly? Do they lose the liability? If FireEye does all that for them, but they later change something, creating a state that leaves them vulnerable, but not a state that a FireEye engineer would have caused, does that mean they lose their liability protection?

"It depends on what you mean by the customer not implementing the product properly. If the award includes training and implementation services, then the customer still won't face any liability. However if the award does not address those services and they are solely the responsibility of the customer, then they may very well face liability," Finch said.

"With respect to configuration errors, again that is fact specific. Typically an application will go over in detail how a product is installed and integrated, so DHS has confidence that the 'configuration' process will go smoothly. With that, typically there will not be liability for configuration errors."

Ultimately, Finch stressed, the question of configuration or changes to the product are fact specific and will be up to the court to decide.

"It's more about striking a balance - the customer and the vendor can work together on customizing a device, but the customer cannot so radically alter the device and then claim immunity," Finch added.

"It's kind of like turning a pickup truck into a monster truck like "Bigfoot" --- you can't expect the manufacturer's warranty to apply to the brakes when you have tires 7 feet tall on the truck at that point!"

Bottom line, if a customer alters a product to the point that it is no longer the same as what DHS reviewed when certifying under the SAFETY Act, then liability protections may well be nullified.

But again, that would mean that a customer faces a lawsuit over a breach that centers on product failure. Still, Finch said, it's fair to say customers get very broad protection with FireEye's SAFETY Act award, but no one should think those protections are absolute or all encompassing.

This clarification somewhat diminishes FireEye's stated promise to customers of "unmatched liability protections in the unfortunate event of litigation" because those protections are dependent on a number of factors, and in reality places organizations on the same playing field as those who are not FireEye customers.

In a way, the cracks in the liability protection look similar to the ones organizations face under PCI. Or rather, just because an organization is PCI certified and compliant doesn't mean they're actually secure -- all they've done is check a box.

Mark Kikta, a penetration tester working for a Fortune 300 company in the financial services sector, shared some additional thoughts when asked his opinion:

"From the counsel's comments, it seems that regardless of what the corporation does elsewhere, as long as they have a FireEye deployment configured and administered by FE, they are relieved from liability.

"This is a dangerous step backwards in realm of security. It takes the concept of a turnkey security solution, which any security expert will tell you doesn't exist, to the next level; turning what is ostensibly a mediocre threat detection product into breach insurance.

"While the concept of breach insurance in and of itself isn't bad, there seems to be a growing trend whereby businesses are choosing to outsource their security and purchase insurance rather than take the necessary steps to ensure the security their infrastructure.

"FireEye's counsel compared their product to a pickup truck in their analogy, I disagree with this; it speaks to their mistaken belief that FireEye is a total solution. You can drive a truck off the lot and have a working method of transportation; you can't just install FE and expect to be secure."

Join the CSO newsletter!

Error: Please check your email address.

Tags Department of Homeland SecurityinfosecsecurityFireEyeadvanced persistent threats

More about CustomersFireEyeQTechnologyThreat Intelligence

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Steve Ragan

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts