U.S. Evaluating Legal Protections for Cybersecurity Technologies
A law designed for counterterrorism technologies has relevance to network capabilities.
The Department of Homeland Security’s SAFETY Act is finding a new application as it may serve to protect against the potential for lawsuits arising from the National Institute of Standards and Technology Cybersecurity Framework. Lawyers are answering questions from clients about possible legal actions, and the department and institute are working together to ensure developers work with confidence.
Concern arises from requirements laid out in the framework; some people believe they could provide the basis for prosecution in the event of a technology failure. The SAFETY in SAFETY Act stands for Support Anti-Terrorism by Fostering Effective Technologies, and the legislation protects providers of qualified anti-terrorism technologies, including products, services, software and other forms of intellectual property, from third-party claims resulting from an act of terrorism where those technologies have been deployed. Department officials put each approved technology through a rigorous review process before issuing it the legal protections. The impetus behind the law is to ensure that threat of liability does not deter potential manufacturers or sellers of anti-terrorism technologies from developing, deploying and commercializing them. The secretary of Homeland Security declares an event as an act of terrorism, which has not occurred since the act’s rollout in 2002.
Bruce Davidson, SAFETY Act Office director, says companies have come to his organization with questions about implementing the framework. The Department of Homeland Security (DHS) is engaging with the National Institute of Standards and Technology (NIST) and plans to commence a pilot-type effort for applications to run through the act’s review process during fiscal year 2015. Davidson explains that interesting work to implement the framework is underway in various sectors, including energy and banking. He adds that having standards offers benefits such as helping to organize thoughts and build capabilities in an organized manner, which are important considerations in cyberspace. “It’s a challenging area, no doubt about that,” Davidson states.
The department has an initiative to improve the process of evaluating cyberspace. Part of the ongoing work is to develop better models to ensure the government remains current on developments, including through participation in NIST workshops that followed the framework rollout. That guidance has become a benchmark for judgment and an incentive to improve, Davidson says. The public sector has experts working on enhancing cybersecurity even as the private sector advances readiness in the field. “Addressing an issue is better than trying to ignore it and hope it doesn’t show up at your doorstep,” he explains. The DHS/NIST collaboration, in part, aims to move in front of problems before they occur. NIST declined to comment on the issue, deferring to the DHS as the authority.
The framework signals the risk of cyber attacks, but it also opens the argument for claiming organizations did not take reasonable care of duty to protect their assets. Dismas Locaria, partner, Venable LLP, explains, “Negligence lawsuits stem out of a reasonable duty to protect against harm.” The SAFETY Act’s existence encouraged companies to bring to market the counterterrorism technologies the government and others need amid fear after 9/11 that, in another attack, they could be liable for tens of millions of dollars if their capabilities had problems. Fast-forward a few years and cybersecurity has become a significant concern for the government, especially as enemies a world away can reach into networks to wreak havoc. Entities need to firm defenses, and one method is through regulation.
NIST’s framework provides some of that oversight as formal cybersecurity legislation remains in limbo. However, it is not a mandatory requirement. The DHS looks at how to inform owners and operators and how to adopt the guidelines and better secure networks. In the absence of a mandatory regulatory scheme, companies can show they have put in place cybersecurity practices and programs that are capable and effective and apply for SAFETY Act coverage. The move has the double benefit of encouraging development and motivating people to adopt the framework. Brian Zimmet, partner, Venable, explains that, short of the worry of being sued, no regulatory reason exists to adopt the framework. “The SAFETY Act is one way to have people adopt it,” Zimmet says. The protections could add value, especially to groups such as the owners of critical infrastructure, who have—or should have—robust cybersecurity measures in place.
Despite the fact that the SAFETY Act is more than 10 years old, many people still are unaware of its existence, though Venable says more groups are learning about it and want more information. Its application to the framework is a new use. Zimmet believes the government is trying to spread the word that the act offers real benefits. Designation as an approved technology will require showing that cyberpractices, as with counterterrorism capabilities, meet minimum quality requirements and standards. Zimmet says companies are trying to determine how the act and framework fit into their overall liability management process. “We’ll have to see how that develops over the next year or so,” he states. Locaria adds that Venable, which does free briefings on the topic, is trying to raise awareness on aspects of the act and on its relation to the framework.
The SAFETY Act offers two levels of protection: designation and certification. According to the department, for the former, “a technology must demonstrate effectiveness during operational testing or through prior use. Designation provides a liability cap as well as exclusive action in federal court, no joint and several liability for noneconomic damages, and no punitive damages or prejudgment interest.” The phrase “no joint and several liability” is legal language depicting cases in which more than one group is held liable. Certification provides all the protections of designation and allows anti-terrorism technology sellers to assert the government contractor defense that immunizes sellers from liability for claims arising from acts of terrorism. Technologies that receive certification are placed on the Approved Products List for Homeland Security.
Davidson shares that, “The program has been well received in our view by the private sector.” His office had approved 689 applications as of September 2014; the first was submitted in 2003. Not all are separate technologies. The total covers 350 to 400 individual products and services. Every five years, the designations and certifications have to be renewed. This policy ensures that deployed technologies remain relevant for the operational environment.
Over time, more than 1,000 applications have been received. Within 30 days after receiving one, the DHS determines its level of completeness. Those with all the necessary information are passed on to subject matter experts for review. The others are returned with an explanation of what else is required. Approximately 60 to 65 percent are deemed complete upon initial receipt. For accepted applications, approval numbers are high. As of early September in fiscal 2014, 62 were approved and two were denied.
Sometimes when discussing the program with the public, Davidson notices some expectation that if a terrorist attack succeeds, the technology or security system put in place must have failed. “In an open society, you can’t stop all attacks ... if we’re to expect technologies to have a 100 percent guarantee of no successful attack, I think that’s unrealistic,” Davidson says. To reduce risk to zero, “I think you’d be looking at a far different society than we have right now.”
However, officials do all they can to help ensure approved technologies are as robust as possible. A significant effort involving subject matter experts, risk management officials and others is put into reviewing applications. Though stopping short of a guarantee, approved technologies are likely to be effective. The act is important economically as well, whether in terms of development or expanding into different markets. For many companies, deploying into certain situations that would combat terrorism does not include a significant increase in corporate revenue. Add in the possibility of being sued for more than the potential profits, and most decision-makers decide against risking their entire enterprise. The SAFETY Act offers a level of confidence that encourages the private sector to pursue applications beneficial to society.
Over time, the technologies submitted for review have become more complex and broader in scope. Layered security, for example, has become more prevalent. Davidson explains that the 22-page rule is detailed and complex and can be confusing, so the department and its experts try to be as open as possible. Applicants need to realize their proposals will go to knowledgeable evaluators, so they need to be specific and thorough in writing and documenting their application; marketing language is not going to cut it.
Davidson’s impression of the act is that it has had a significant impact on anti-terrorism technologies, increasing their deployment and deterring attacks. He says that impact is evident in added security in facilities such as stadiums and in procurement numbers. He estimates that the economic impact of the act in terms of factors such as jobs and aggregate revenues, compared with program expenses, is 500:1. “I think we’re having a pretty big impact,” Davidson states. Businesses of all sizes have submitted technologies for approval. Given more resources, program staff would like to do more outreach and process more applications. “It’s pretty well understood this program is resource constrained,” Davidson explains. “That’s not a bad thing. Not every program has to be robustly funded.”
Moving forward, the SAFETY Act office aims to make its processes more user friendly to applicants. And it will continue to work on cybersecurity issues, which could be affected if Congress passes official legislation on the topic.