As the National Security Agency controversy continues to swirl, NSA Director General Keith Alexander – like any good officer – is counterattacking. In addition to defending the NSA, he is also seeking ways to help contractors that support his operations. In particular, testifying recently before the Senate, Gen. Alexander stated that some sort of liability immunity was needed for private sector companies that undertook cyber-defensive actions.
He in particular noted that “If the government asks [a] company to do something to protect the networks, or to do something and a mistake is made, and it was our fault, then they should have liability protection for that.”
Alexander is not alone here. Politico’s Tony Romm reported that White House officials could support some form of liability protection for “defensive countermeasures” taken against cyber attacks. Ranking Senate Intelligence Committee Senator Saxby Chambliss added that providing private sector with liability protection for using certain countermeasures “is essential to encouraging better cybersecurity” and should be considered a “vital” part of cybersecurity legislation.
So we are agreed then – cyber liability protection is not only needed, but vital. Too bad passing legislation like that, especially in a Congress that cannot even agree on a farm bill, seems like a fantasy at best. If only there was some way to get from here to there without Congressional action …
Oh wait – the SAFETY Act. Shoot, forgot about that one.
For those who don’t know, the SAFETY Act is a law that was passed way back in 2002 to encourage the continued deployment of new and existing security tools by granting specific liability protections to said items after they have undergone a vigorous review by the Department of Homeland Security. Further, the protections apply only when the Secretary of Homeland Security declares that the attack meets specific statutory criteria.
Hang on – some will say: that law as passed applies only to widgets and “terrorist” attacks. Wrong. A quick review of SAFETY Act awards demonstrates that services and policies as well as widgets are eligible for SAFETY Act protections. Beyond that, “terrorist” attacks is an incredibly broad term, defined to basically encompasses any intentionally unlawful attack that causes harm, including economic harm. Cyber attacks clearly fall in that category.
Okay, so for the sake of argument let’s say that the SAFETY Act provides the kind of liability protections being thought about. What can Gen. Alexander and others do to encourage its use? Well, first Alexander and others can instruct procurement officials to follow the Federal Acquisition Regulations, specifically FAR 50.2.
FAR 50.2 states that agencies should “[d]etermine whether the technology to be procured is appropriate for SAFETY Act protections and, if appropriate, formally relay this determination to DHS for purposes of supporting contractor application(s) for SAFETY Act protections” and “[e]ncourage offerors to seek SAFETY Act protections for their offered technologies…”
Now, of course, this does not mean that contractors must pursue SAFETY Act protections to win a procurement (the FAR prohibits such actions), but procurements should at least be looking into the applicability of the SAFETY Act and actively educating its vendors about its existence.
Moreover, consistent with Sen. Chambliss’s comments, let’s not forget that the SAFETY Act applies when cybersecurity tools are sold for purely commercial use. In other words, Company X sells its cybersecurity tool to Company Y to protect its networks, control systems, whatever. If Company X has SAFETY Act protections for its cybersecurity tool, it can take advantage of the liability protections. So too, in fact, can Company Y (the liability protections flow down to Company Y in a limited fashion). Sounds like a “twofer”, doesn’t it? And hey, you, ISPs, I would pay especially close attention to this. Liability protections just sitting out there, just waiting to be taken advantage of … sounds like something your General Counsels and Boards want would to dive into.
So where does that leave Gen. Alexander, the White House, the Hill, and everyone else? I would say with a longer to-do list. Executive Branch – start following FAR 50.2. Congress – highlight the good work you have already done and tweak where needed (adding language for instance that allows the Secretary to declare a “cyber incident” or something similar in order to make her life easier). And private sector – grab the low hanging fruit.
There is plenty of work to do when it comes to cybersecurity and liability protection, but we should take advantage of the tools already available. Sometimes there are easy (well, easier) answers out there.
Brian E. Finch is a Partner at Dickstein Shapiro LLP and an adjunct law professor at The George Washington University Law School. You can follow him on Twitter at @BrianEFinch