FLASHBACK: You get home from work, kick off your shoes, and sit at your desk. You pull your PC monitor towards you, past your incredibly valuable collection of beanie babies, turn on your computer, and pop in your CD-ROM of AOL to surf the web… as soon as your wife gets off the phone. In the meantime, you turn on C-SPAN and see some group of vagabonds testifying before the Governmental Affairs Committee. They say a lot of technical jargon, but what catches your attention is the confidence in saying they could take down the internet in 30 minutes if they chose to[i].

In 1998, this hacker group, L0pht Heavy Industries, testified before the Governmental Affairs Committee. Without naming names, they testified that large companies who create and distribute computer operating systems throughout our society, government, and schools are aware of how vulnerable their products are but choose not to solve until the economic benefit is substantial enough.

Today things are vastly different: beanie babies never became valuable, an AOL email address lets others know your retirement is just around the corner, and nothing I own can play a CD-ROM. But one part of the 90s that stuck with us: Cyber Security—it’s still neccessary to guard society but continues to lack uniform procedure. In other words, society is still terrifyingly vulnerable to attack.

In the last 15 years, computers have become smaller, more portable, and contain the most sensitive parts of our personal information. They have become such an integral tool for navigating everyday tasks that some prefer convenience and accessibility over security, the consequence of which consumers are occasionally reminded. Groups of ill-intentioned hackers (referred to as “Black hats”) have taken companys’ computer systems hostage and held for ransom. The most famous of these ransomware attacks was the Colonial Pipeline Hack in 2021, when the group DarkSide encrypted Colonial Pipelines software, preventing it from billing its customers. As a precaution, the company shut down all oil production to ensure the malware did not spread. This garnered a response from federal and state law enforcement, national security experts, and even President Joe Biden. It was later confirmed that the group made their first incursion by obtaining an employee’s VPN password, either leaked in a separate attack or intercepted on public WiFi. Law enforcement recovered almost 3 million dollars out of the 4.4 million paid to the group. If this could happen to Colonial Pipeline, it could happen to anyone, except the FBI will not dedicate the same resources to the individual that it dedicated to Colonial Pipeline.[ii]

So, what happens when the average individual is the victim of cybercrime? Who is liable for damage to a person’s finances, credit score, reputation, and quality of life? Who takes responsibility when the house of cards comes falling down? The answer: it depends, but almost certainly not the corporation that creates and sells the software.

For example, Microsoft, which accounts for 71.5 percent of the global market, integrates its security into the operating software. It is then sold to the consumer via a license which states the consumer may not hold Microsoft liable for any security breaches. In 2016, Google announced that Microsoft had a severe vulnerability in its operating system. Hackers were able to exploit a bug in the Windows kernel via a win32k.sys system call, which bypassed the security sandbox.[iii] If you did not understand any of that, you are not alone. The expectation that the average consumer must also be a cyber security expert to protect themselves when these vulnerabilities are known to, but not acted on by, corporate giants falls flat when explained in normal terms: victims of auto theft do not hold car manufacturers liable for the theft of their vehicle, but maybe they would if it was discovered that with a little elbow grease, any key could unlock and start any car, not just the owner’s.

 Coupled with restrictive licensing agreements, software companies have stymied litigation to protect the industry. Pre-suit settlements may appear costly, but the benefits far outweigh the costs. Pre-suit settlements prevent state and federal judiciaries from establishing precedent that future plaintiffs might rely on or that legislatures may look to when drafting potentially restrictive legislation. With the rise of cybercrime in the United States, a demand that software developers do more to protect consumers is noticeably absent. “This area of law has been stunted in its growth,” Alex Abdo, an attorney with the Knight First Amendment Institute at Columbia University said.  “It is very difficult to hold software manufacturers accountable for flaws in their products.”^[iv]

Google has addressed this by creating a 90-day vulnerability disclosure deadline. When Google discovers a vulnerability in a vendor’s software, it immediately notifies the vendor, who must patch the vulnerability within 90 days. If the vendor fails to patch the faulty software within the prescribed period and does not notify the cyber security industry of the vulnerability, Google will disclose the information to the public. This incentivizes software companies to vigilantly monitor and repair software or face an amplification of its pitfalls to consumers.[v]

While the law remains stagnant, computer science has experienced exponential growth. Quantum computing, in basic terminology, allows a machine to read/write code 158 million times faster than the world’s fastest supercomputer. It can perform tasks in four minutes that would take modern computers roughly 10,000 years. Cryptocurrency wallets require 12 random words to bypass the security. It could take an average computer hundreds of years to guess 12 random words, whereas it would take minutes with quantum computing. Advancements in technology are quickly outpacing even the most security-conscious users, a bleak foreshadow of the consequences users who prefer convenience over security might one day experience.

Twenty-five years have passed since L0pht Heavy Industries testified before Congress about the power software companies wield and the limited opportunities to hold them liable for their mistakes. Congress would be wise to implement a uniform software vulnerability disclosure requirement for the protection of the average consumer or at least create a path for victims of cybercrime to be made whole when software companies negligently leave vulnerabilities open for exploitation.

[i] See Cybersecurity: When Hackers Went to the Hill — Revisiting the L0pht Hearings of 1998, Nat’l Sec. Archive (Jan. 9, 2019), https://nsarchive.gwu.edu/briefing-book/cyber-vault/2019-01-09/cybersecurity-when-hackers-went-hill-revisiting-l0pht-hearings-1998.

[ii] See Sean Michael Kerner, Colonial Pipeline hack explained: Everything you need to know, Tech Target (Apr. 26, 2022), https://www.techtarget.com/whatis/feature/Colonial-Pipeline-hack-explained-Everything-you-need-to-know.

[iii] See Michael Kan, Google Clashes with Microsoft over Microsoft flaw disclosure, Computerworld (Oct. 31, 2016), https://www.computerworld.com/article/3137172/google-clashes-with-microsoft-over-windows-flaw-disclosure.html.

[iv] See Jan Wolfe, Cyber attack could spark lawsuits but not against Microsoft, Reuters (May 15, 2017), https://www.reuters.com/article/us-cyber-attack-liability/cyber-attack-could-spark-lawsuits-but-not-against-microsoft-idUSKCN18B2SE.

[v] See How Google Handles Security Vulnerabilities, Google, https://about.google/appsecurity/#:~:text=Google’s%20vulnerability%20disclosure%20policy&text=This%20is%20why%20Google%20adheres,the%20vendor%20releases%20a%20fix (last visited Apr. 7, 2023).