SAFETY Act liability shield starts showing cracks
- 07 May, 2015 23:43
This week, Salted Hash has examined the Department of Homeland Security's (DHS) SAFETY Act, and FireEye's promise to customers that their certification under the act provides them protection from lawsuits or claims alleging that the products failed to prevent an attack.
Overall, comments from the security community on the matter have been less than favorable. It's understood that most of the backlash centers on the fact that liability protections under the act afforded to FireEye customers aren't exactly clear; and in some cases look as if they're rewarding organizations for check-box security initiatives, which often do more harm than good.
Moreover, the backlash has also centered on regulatory capture and the fact that FireEye is the only pure InfoSec vendor to see certification and designation under the act as a Qualified Anti-Terrorism Technology (QATT) and certified as an approved product for Homeland Security.
As mentioned yesterday, such an award is viewed as a move that could stifle innovation and competition in the security industry. Yet, while FireEye is currently the only pure-InfoSec vendor on the SAFETY Act list, Salted Hash has heard from two other vendors who are considering it. Both declined to comment for this article.
Customers using FireEye's Multi-Vector Virtual Execution engine and Dynamic Threat Intelligence platform will see "potential savings on both insurance and legal expenses" due to the protections afforded by the SAFETY Act, FireEye's CEO, Dave DeWalt said in a recent earnings call.
One security expert, speaking about the liability protections offered to buyers, noted that they've "yet to be tested in court."
"Testing the SAFETY Act in court will be like testing cyber insurance in court. In fact most insurance cases that have gone to court haven't fared well. There are some real questions surrounding this program and the liabilities it can actually provide."
For example, when it comes to the attacks that would trigger SAFETY Act protections, how does one speak to intent?
Do the attacks in question have to be terrorism as the public understands it or as the SAFETY Act defines it? Do nation-state attacks count, if so how exactly? Does the organization get the liability protection from a single product or does their whole security program need to have SAFETY Act products?
These questions remain unanswered, and many of them will only see answers after a judge as made a decision.
Another question asked by readers this week centers on configuration changes and installation procedures. Salted Hash looked to FireEye's outside counsel, Brian Finch, for answers.
Q: What happens to the liability if [the customer doesn't] implement or configure the product correctly? Do they lose the liability? If FireEye does all that for them, but they later change something, creating a state that leaves them vulnerable, but not a state that a FireEye engineer would have caused, does that mean they lose their liability protection?
"It depends on what you mean by the customer not implementing the product properly. If the award includes training and implementation services, then the customer still won't face any liability. However if the award does not address those services and they are solely the responsibility of the customer, then they may very well face liability," Finch said.
"With respect to configuration errors, again that is fact specific. Typically an application will go over in detail how a product is installed and integrated, so DHS has confidence that the 'configuration' process will go smoothly. With that, typically there will not be liability for configuration errors."
Ultimately, Finch stressed, the question of configuration or changes to the product are fact specific and will be up to the court to decide.
"It's more about striking a balance - the customer and the vendor can work together on customizing a device, but the customer cannot so radically alter the device and then claim immunity," Finch added.
"It's kind of like turning a pickup truck into a monster truck like "Bigfoot" --- you can't expect the manufacturer's warranty to apply to the brakes when you have tires 7 feet tall on the truck at that point!"
Bottom line, if a customer alters a product to the point that it is no longer the same as what DHS reviewed when certifying under the SAFETY Act, then liability protections may well be nullified.
But again, that would mean that a customer faces a lawsuit over a breach that centers on product failure. Still, Finch said, it's fair to say customers get very broad protection with FireEye's SAFETY Act award, but no one should think those protections are absolute or all encompassing.
This clarification somewhat diminishes FireEye's stated promise to customers of "unmatched liability protections in the unfortunate event of litigation" because those protections are dependent on a number of factors, and in reality places organizations on the same playing field as those who are not FireEye customers.
In a way, the cracks in the liability protection look similar to the ones organizations face under PCI. Or rather, just because an organization is PCI certified and compliant doesn't mean they're actually secure -- all they've done is check a box.
Mark Kikta, a penetration tester working for a Fortune 300 company in the financial services sector, shared some additional thoughts when asked his opinion:
"From the counsel's comments, it seems that regardless of what the corporation does elsewhere, as long as they have a FireEye deployment configured and administered by FE, they are relieved from liability.
"This is a dangerous step backwards in realm of security. It takes the concept of a turnkey security solution, which any security expert will tell you doesn't exist, to the next level; turning what is ostensibly a mediocre threat detection product into breach insurance.
"While the concept of breach insurance in and of itself isn't bad, there seems to be a growing trend whereby businesses are choosing to outsource their security and purchase insurance rather than take the necessary steps to ensure the security their infrastructure.
"FireEye's counsel compared their product to a pickup truck in their analogy, I disagree with this; it speaks to their mistaken belief that FireEye is a total solution. You can drive a truck off the lot and have a working method of transportation; you can't just install FE and expect to be secure."