The Case for Liability and the Hidden Costs of Security Features

A Call for Vendor Accountability

Sixteen years ago I just started my career in Information Security (cyber was not a thing yet) and I remember that Bruce Schneier, a renowned security expert, was arguing that software vendors should be held liable for the security flaws in their products. In a 2008 article, Schneier highlighted the economic inefficiencies stemming from insecure software, noting that the costs of these insecurities are unfairly borne by users and organizations rather than the vendors themselves.

Despite the passage of time, the landscape has not significantly changed. So many vendors continue to transfer (yes transfer as in a Risk Management Strategy) the risk of security breaches to their clients, leaving them to deal with the eventual fallout. Schneier’s argument remains compelling today.

By making vendors financially responsible for security breaches, we can realign incentives to prioritize secure software development. This shift is crucial in an era where data breaches are increasingly common and costly.

Something changed with the California Consumer Privacy Act back in 2018. It was a good beginning (I know it wasn’t enough but we have to start somewhere). The introduction of the Cyber Resilience Act (CRA) is another step in the right direction.

The SSO Tax: A Barrier to Security

One issue that exemplifies the misalignment of incentives in the software industry is the so-called Single Sign-On (SSO) tax. The SSO tax refers to the additional charges that software vendors impose for providing SSO functionality, a feature that enhances security by allowing users to access multiple applications with a single set of credentials. While SSO can significantly improve security and streamline user experience, many vendors place it behind expensive paywalls.
You can find some examples in the SSO Wall of Shame. Increases range from +10% to 49900%. I really like their example: “Imagine buying a car and the manufacturer asks for an extra payment to unlock 100% of the braking power. Not offering security features if they already exist in your product means a vendor doesn’t care about your security.”
Sadly, the result is that this pricing strategy not only hinders the adoption of essential security features but also exacerbates the economic burden on smaller organizations, which are often the least equipped to handle security breaches.

The Privacy by Design and Privacy by Default Principles

The European General Data Protection Regulation (GDPR) introduced 8 years ago the principles of Privacy by Design and Privacy by Default, which mandate that data protection measures should be integrated into the development of business processes and systems from the outset. In particular, Privacy by Default mandates that the highest privacy settings should be the default configuration, which includes robust authentication mechanisms.

In short, these principles aim to ensure that personal data is adequately protected throughout its lifecycle, minimizing risks and enhancing user trust.
Am I the only one seeing this, or could charging these kinds of fees for basic security features like SSO or MFA be seen as contrary to these principles?

The Cyber Resilience Act: Another Step Forward

The European Union’s Cyber Resilience Act (CRA) is a recent legislative effort aimed at improving cybersecurity for products with digital components. The CRA introduces mandatory cybersecurity requirements for manufacturers and retailers, ensuring that products are secure throughout their lifecycle. This includes harmonized rules for bringing products to market, obligations for planning, design, development, and maintenance, and a duty of care for the entire lifecycle of such products.While the CRA is a significant step in the right direction, it is not enough on its own. The Act addresses many issues, such as the low level of cybersecurity in many products and the lack of adequate security updates. However, it does not fully resolve the problem of vendor accountability. The CRA mandates that products must meet certain cybersecurity standards, but it does not go far enough in holding vendors accountable for breaches caused by their products.

Conclusion: Aligning Incentives for Better Security

The call for vendor liability in the event of security breaches is more relevant than ever.
The current economic model does not incentivize vendors to prioritize security. By imposing liability, we can ensure that vendors take the necessary steps to secure their products, ultimately benefiting consumers and the broader market. Moreover, the SSO tax and similar practices undermine the principles of Security/Privacy by Design and by Default.
In conclusion, holding vendors accountable will force them to eliminate additional costs for essential security features. This would be a critical step towards a safer digital environment.
It is time for policymakers, industry leaders, and Data Protection Authorities to create a framework that prioritizes security and fairness for all users.