Diners contracting food poisoning at restaurants created the political pressure and will to force restaurant inspections by the public health service, and it has worked well ever since.  

Plane crashes created the National Transportation Safety Board.  Once it began its work, the number of plane crashes dropped because the public finger pointing between pilots and plane manufacturers ended.   Finally, an impartial entity could correctly place the blame.

ADVERTISEMENT
Underwriters Laboratory was created to stop electrical appliances from causing fires.   Today, big box stores will not sell devices with plugs that do not have a UL seal.

The crash test dummies of the Insurance Institute for Highway Safety keep us safe.   Insurers use the data to set insurance premiums for every model of car, and consumer reports use the data to advise the public on the safest and most dangerous cars.   

Supply chain discipline exist in cars so that a single defective car part can be traced immediately back to the supplier, and laws exist so the manufacturer is forced to recall the car part and bear the cost of fixing it.

The term ‘firewall’ comes from the brick wall that Chicago forced to be built between every row house, after the city burnt down for the second time. 

But there are no building codes in software.   

In the world of software, none of these rational checks and balances exists.   

There is also no product liability for software.  The End User License Agreement (EULA) every one signs, and current law, prevent it.   Even though more than ten people died from a software bug in a chemotherapy device that delivered too much radiation to patients, there was no lawsuit and no damages were awarded.   

Software vendors regularly issue codes with exploitable, known vulnerabilities in them.  The pressure to get code out-the-door means they can and do release them with known exploitable vulnerabilities -- because no one is looking.

According to the Verizon Data Base Breach Report of 2015, 97 percent of the breaches in 2015 came from known vulnerabilities. That is, these are bugs in code that have been publicly announced.  

It is not rational behavior that businesses buy a defective piece of software, transfer all legal risk of its failure to them through a EULA, then try and insure themselves against the risks of defects in a product they did not build.   

Mayo Clinic and Exxon have decided to stop the irrational behavior and act in their self-interest.   They have procurement policies that force companies to accept liability for software flaws that cause a breach.    And Mayo forces companies to go through extensive testing and to provide a bill of materials to insure none of the software has known vulnerabilities.   

Many software companies opposed the Royce bill from last Congress, which would have forced companies selling to the federal government to provide a bill of materials so the buyer could be sure there were no known vulnerabilities in the code. 

If passed, the Royce bill likely would have stopped the rash of ransomware attacks on multiple hospital servers that were riddled with a well-known Java vulnerability (J-boss) that had not been patched.

But these small measures in the Royce bill were opposed by the software industry, which has no oversight, no liability, no regulation and forces their customers to assume any liability for defects in the product the consumer buys.

Now, when you compare the Royce bill to the Mayo procurement language, the Mayo language, industry faces a far more serious and rigorous, market-based supply chain discipline.

The industry’s knee-jerk reaction to rational regulation has caused their customers to force discipline in the market via purchasing contract that supersedes any EULA.

Now the financial services industry has published the Mayo procurement language.  It’s reprinted in Appendix B of the Financial Sector Services Coordinating Committee (FSSCC), in their recently published Purchaser’s Guide to Cyber Insurance Products.

Since Underwriters Laboratory just kicked off its UL Cyber Assurance Program (CAP), so that software vendors can receive a UL CAP seal, just like all electrical appliances have a UL seal.

It is likely not going to be long until insurers demand that companies seeking cyber insurance buy networked products or software that have the UL CAP seal.  

Companies may not chose to implement a procurement policy like the Mayo clinic’s, but instead force their cyber vendors to get the UL CAP seal, or they are not eligible to be purchased. 

Finally, serious people are now doing serious things to force discipline on the cyber supply chain to keep us safe from hackers and foreign governments fleecing us of our health data, financial data, trade secrets, and unique military and civilian technology.


Dan Perrin is the founder of the Council to Reduce Known Cyber Vulnerabilities.