In this episode, host Paul Roberts chats with Daniel Woods, a Cybersecurity Lecturer at The University of Edinburgh on the sidelines of the 2023 Black Hat USA conference about his briefing: “Lemons and Liability: Cyber Warranties as an Experiment in Software Regulation.”

EPISODE TRANSCRIPT

PAUL ROBERTS
Hey, welcome back to another episode of ConversingLabs Cafe. We're coming to you today from the Black Hat briefings in Las Vegas, Nevada. It's Thursday, the second day of Black Hat. And I am joined in the ConversingLabs studio by the amazing Daniel Woods.

DANIEL WOODS
Yeah, lovely to be here.

PAUL ROBERTS
Daniel, tell our viewers a little bit about yourself.

DANIEL WOODS
Yeah so, I have kind of two hats. One is at the University of Edinburgh, where I'm a Lecturer in Cybersecurity, that's the British version of Assistant Professor. And the other is a Researcher at Coalition who are a leading cyber insurance and security service provider.

PAUL ROBERTS
And you gave an amazing talk today at the show called Lemons and Liability.
Where you're talking about just what it sounds like: The application of product liability thinking, like lemon laws to software and applications. Really fascinating concept. Could you tell us just a little bit about kind of the history of that?

DANIEL WOODS
Yeah I think the core insight or driver of the talk is that software security displays aspects of the lemons market.
And the core problem is buyers of software struggle to differentiate between secure and insecure software. And that essentially creates the wrong incentives, because if you're a software vendor and you face the choice between investing in costly security measures and just skimping on them, then the market won't actually reward the costly measures because the buyer can't identify secure software.
So that creates a lemons market where the market is flooded with lower quality products.

PAUL ROBERTS
Kind of first one to market wins basically. And you did some research around this. Talk a little bit about what you did.

DANIEL WOODS
So the lemons market is a famous, there's a famous economic paper with the same title that goes back to the 1970s, George Akerlof, who won a Nobel prize, and what he describes is the policy responses to a lemons market. One is reputation, so a producer gets a reputation high quality goods. Another is warranties. That's what I looked at. Liability, transparencies, they're all there. But specifically what I looked into is, there's been this emerging process within the infosec space, where vendors attach warranties to their products.
So they say, if our product fails to stop a breach, we will pay you up to however many million dollars, a breach related costs.

PAUL ROBERTS
We've seen that. Some of the vendors out here on this floor have offers like that. Do they work?

DANIEL WOODS
Yeah, so it's a good question. So I think it depends what you mean by "work." So I would say they seem to have some signaling value.
So in the study we collect some information on customer satisfaction with different products. We look at the endpoint protection space where 25% of the products are sold with an associated warranty. And we find that those products have higher customer satisfaction. Potentially, it seems warranties might be signaling some quality of the product.
But, in terms of the second question, which is, do they transfer risk to the client? Transfer risk from the client, actually. I don't think it's the case, depending on who you speak to. Some of the warranty providers in this hall, in this this conference hall, will proudly claim their warranty has never paid out.
They think this is a sign that it's working, but of course there have been many breaches of organizations who deploy their product. It's just that the terms and conditions are drafted in such a narrow way that, it doesn't actually transfer risk from the client to the vendor.

PAUL ROBERTS
So in the physical world with physical products liability is a little bit easier to establish.
You think about maybe Takata airbags or something like that. It's supposed to deploy. It doesn't deploy, really clear. With software and particularly cyber security attacks, it's a much fuzzier question as to, what was the weak link that led to the compromise, the theft of data, what have you. Deployment of the malware. How do these questions generally get resolved? And for a company might be looking to license software where there's some kind of warranty attached. Are there sort of red flags in the language or the structure of that warranty that they should be on the lookout for?

DANIEL WOODS
It's a difficult question to answer because they're emerging very slowly. So one thing in the talk is the first warranty was announced at Black Hat 2014. That was associated with an application security testing firm, White Hat Security. And then, over time, more and more vendors have offered warranties, but we don't actually have particularly good information on what happens if, you've deployed an input protection product with a warranty attached, and you've also had a security audit from this firm. How those warranties interact? We don't really know how that works.

PAUL ROBERTS
So the other piece of this is the Lemon Law piece, which is a regulation, a public policy response. Which really puts the onus on manufacturers to not design and sell balky products that don't work. Where are we with that? Is that something that we might see?

DANIEL WOODS
Yeah, so like the core problem here is there's probably 15 to 20 out of +25 vendors offering warranties and they voluntarily come forward and offer them in the InfoSec space. But, of course, there's thousands, tens of thousands, maybe even hundreds of thousands of software vendors. And many of the most important vendors don't have any liability.
For instance, one of the questions in my talk was what about breaches like the MoveIT vulnerability. And I think this is a core problem that often the solution would be for a provider of, say, a VPN service to really build security in. And it's hard for an infosec vendor to bolt on security, but the incentives just aren't there.
And that's where the kind of liability regime comes in, because then the government says, Hey, if you're selling mission principle software and you're not taking the security measures, then you should be made liable. So there's no voluntary aspect.

PAUL ROBERTS
Right. So in addition to being a professor, as you said, you work for Coalition.
Which is an insurance company. Obviously cyber insurance is another market based response to this problem. What are insurers like Coalition doing around this question of software liability?

DANIEL WOODS
Yeah, so one I think point is information . So we said before it's hard for buyers to identify secure software. One thing that Coalition can do is we observe the technology policyholders have and the negative consequences in terms of breaches, the size of the incident. And what we've actually been able to do in our 2023 Claims Report is show that organizations with certain software, so for instance, Fortinet, internet facing devices are associated with a three times likelihood of a claim, which is huge.
And I think part of what we're trying to do is communicate that to policyholders and help shed some transparency in the ecosystem.

PAUL ROBERTS
So one of the things that's happening in cyber insurance as I understand it, is insurers are getting a lot more restrictive setting the bar a lot higher for their clients. As these companies go out and look for cyber insurance, what are the types of things that they're gonna be asked to do? Is that bar really going up?

DANIEL WOODS
Yeah, so I would say so the market took a shift after the ransomware epidemic, and now most insurers, it changes over time as the market ebbs and flows, we're asking for multi-factor authentication, endpoint detection and response, kind of core basic cyber hygiene. I would say the difficult thing is different insurers will ask for that in different ways.
Some insurers will ask for a checkbox, do you have MFA, which nowadays is basically a meaningless question. The vast majority of organizations have some form of MFA, and really the difficult parts are how it's configured and managed. So I think you just have to go through a broker who knows the market, but in particular, if you want the kind of support of the insurer, try to ask and request an insurer who's interested in active insurance, improving your security posture, and you will have a partner in that.

PAUL ROBERTS
Let me ask you, one of the big, so obviously one of the big trends is not just that folks are licensing applications, software applications, but of course the Internet of Things, right?
So software is running on all of the physical stuff in our homes and businesses and so on. And one of the problems that's come up is basically the same informational problem. You have two webcams, one for $20, where they've made no investment in cybersecurity, one for $25 where they have, the purchaser has no way of knowing that.

DANIEL WOODS
Yeah, Amazon ranks by price, you see the $20 one.

PAUL ROBERTS
Why would I pay an extra 5? I'll buy this one. It's because, they don't use any encryption or something like that. So what do we do about the Internet of Things problem and how do we get this type of thinking into connected devices?

DANIEL WOODS
It's interesting, I think before this you had some of the folks from CISA on. So there's interesting transparency regimes, so like IoT product labeling, creating mandatory guidelines for those manufacturers, so no hard coded passwords. And I think that's the push.

PAUL ROBERTS
Yeah. And do you think that will have a beneficial effect down the road?

DANIEL WOODS
It seems so, based on the theory. It's always hard to see in practice.

PAUL ROBERTS
On the issue of kind of software supply chain and we've just seen so many stories, 3CX, SolarWinds, you name it.
Often these result, these are... Damages to downstream customers who have licensed this software. Often the attack comes in the form of a signed software update. What should, companies that are doing software development know or understand about this liability question?
And how might it influence the work that they do in terms of secure development, secure by design, secure deployment?

DANIEL WOODS
So I think right now it's a negative side of how we set things up. Potentially, they don't really need to know anything because they're not liable, right? I think the really...

PAUL ROBERTS
Where we are now?

DANIEL WOODS
Where we are right now, I think the interesting thing in the 2023 National Cybersecurity Strategy is the Biden administration, they're talking about shifting liability onto those actors, and in particular, when they fail to take reasonable precautions, and I think this is going to be you know, a community driven project where different people help to define what reasonable is. Because as you said, there's a range of different measures that could be required of these vendors.
But the general structure is, if they do certain procedures, then they will be immune from liability.

PAUL ROBERTS
Safe harbor, as it were.

DANIEL WOODS
Exactly, it's called a safe harbor.

PAUL ROBERTS
Yes, interesting. Okay, so Daniel, for our viewers... Where can they find more about you online and the work that you do and maybe give them some tips on, if they're out there shopping for software, concerned about buying some lemon software, there's a lot of it, what they can do to help inform themselves.

DANIEL WOODS
Yeah, so for following me, I've migrated away from Twitter or now X, just as it descends into chaos.

PAUL ROBERTS
You're not alone.

DANIEL WOODS
Yeah, but I'm on LinkedIn, I share... My university research, my Coalition research there. So that's a good place to follow me. Yeah, and then in terms of software, so to give like specific advice relevant to Coalition... Yeah. Your insurer is ultimately a partner. We're one of the few kind of...

PAUL ROBERTS
On your side?

DANIEL WOODS
Vendors who are on your side, because if we face a claim, if you have a loss, we pay some of the claim, but we pay all of the claim and some of the loss.
And yeah so we're on your side, we're collecting data and we want to share that with you through notifications, through these statistics, like certain technology being associated with breaches. So I would say look to your insurer, because the kind of more mature insurers are collecting this data and they're in a really good place to make recommendations.

PAUL ROBERTS
Daniel Woods of Coalition, University of Edinburgh. Thank you so much for coming on and speaking to us on ConversingLabs Podcast. We'll have to do it again.

DANIEL WOODS
No, it was great. It was a joy to speak. Thank you very much.