Don’t extend the SAFETY Act to cyber incidents
Last week, Sen. Steve Daines, R-Mont., became the latest to suggest that “cyber incidents” should qualify for coverage under the Support Anti-Terrorism by Fostering Effective Technologies (SAFETY) Act, a series of liability protections used to spur the growth of anti-terrorism technologies. However, the market for cybersecurity technologies is already too robust for this kind of market intervention to do anything but stifle the very innovation that it seeks to accelerate.
The SAFETY Act passed in the wake of 9/11 to assuage the fear that companies would not invest in beneficial anti-terrorism products and services because of liability concerns. The law allows entities to have anti-terrorism related technologies and procedures sent to the Department of Homeland Security (DHS) for evaluation. Those meeting certain standards are either “designated” or “certified” under the SAFETY Act for five years and given special liability protections if the DHS secretary designates an otherwise liability inducing event as an “act of terrorism.” Organizations have used it to gain liability protections for everything from X-ray sensors and K9 teams to facility and venue security plans.
The liability concerns undergirding the SAFETY Act arose because of a dearth of past litigation in which a reasonable standard of care could be established. Thankfully, acts of terrorism remain exceedingly rare. After more than a decade and a half of use, the protections of the SAFETY Act have never actually been invoked.
Due to this lack of real-world cases to draw from, companies were unable to adequately assess risks, and the market for anti-terrorism technologies stagnated. Government intervention filled this void, essentially taking over the role of market tester. It was able to propel innovation by unilaterally determining the appropriate standards and obviating the need to wait for a series of test cases that might take decades to occur.
While a struggling anti-terrorism market necessitated and ultimately benefited from the introduction of SAFETY Act liability caps, the same cannot be said for cybersecurity. Cyber incidents may carry the same potential for catastrophic harm as terrorist attacks, but they are also very common and exemptions from liability would be very dangerous. Even a limited definition of qualifying cyber incident would expand the universe of SAFETY Act covered events by many orders of magnitude. The days in which its protections were never invoked would surely be at an end.
Moreover, the frequency of hacking attempts and data breaches has created a growing body of literature on the deployment of various cybersecurity products and stratagems. This is not an example of a weak or empty marketplace that requires government intervention to survive. The best cybersecurity measures are more likely to be divined through true trial and error than selection by government bureaucrats.
This is not to say that the SAFETY Act and cybersecurity products are entirely incompatible. Indeed, a handful have actually already been certified under existing procedures. The market has resisted distortion, however, because an act of terror can be differentiated from other kinds of cyber attacks – the intent and identity of the actor colors the determination.
If more run-of-the-mill events were sheltered from liability as qualifying cyber incidents, precedents would build and SAFETY Act certification would become the de facto standard for the industry. This is hardly the recipe for continuing innovation, particularly given that SAFETY Act certifications lock protections in place for multiple years. With liability protections in hand, there would be little incentive for additional investments and cybersecurity would become a check-the-box exercise.
New resources and ideas are vital in the quest to supplement our cyber defenses, but Congress should not act rashly. Expanding the SAFETY Act to cyber incidents would be an example of trying to force a square peg through a round hole. DHS has an important role to play in cybersecurity, but consumer reports is not it. And cybersecurity innovation moves too quickly to unnecessarily subject it to the sclerotic hand of government.
Image credit: MKA Graphics