Ex-Hacker: If You Get Hacked, Sue Somebody

Virgiliu Obada/Shutterstock.com

The days of software companies having built-in legal “liability protections” are about to come to an end, one expert says.

Jeff Moss, the hacker formerly known as Dark Tangent and founder of Black Hat and DEFCON computer security conferences, has a message for the Beltway tech community: If you get owned, sue somebody.

Sue the hackers, the botnet operators that affect your business or the company that developed insecure software that let attackers in, Moss said. The days of software companies having built-in legal “liability protections” are about to come to an end, he argued.

“When the Internet-connected toaster burns down the kitchen, someone is going to get sued,” said Moss, speaking Wednesday at the QTS Information Security and Compliance Forum in Washington, D.C. “The software industry is the only industry with liability protection. Nobody else has liability protection for some weird reason. Do you think that is going to last forever?”

Moss cited Tesla’s connected cars and Boeing’s connected planes as examples of mobile data centers that hold legal liability if an accident occurs. If their products are compromised, it could mean a loss of life and certainly would result in lawsuits.

Yet, “if that data center has no wheels or engines,” the companies operating them typically haven’t been held legally liable when they’re hacked or compromised, even when financial damages exceed millions of dollars. Some estimates suggest hackers are responsible for as much as $500 billion in damages annually.

“Why do we just accept it all and not sue people?” Moss said. “You have a corporate legal team and you’ll sue everybody for anything except when it comes to software. You might sue over software licensing agreement but in reality, spammers, attackers and botnet operators and all these things, they’re all run by humans and you can sue them. You don’t even have to actually know what their address is. You can sue John Doe.”

At the very least, Moss said federal agencies and tech companies ought to make lawsuits part of their cybersecurity strategies. Not doing so would fly in the face of changing technological times, he said.