This week, Salted Hash has examined the Department of Homeland Security's (DHS) SAFETY Act, and FireEye's promise to customers that their certification under the act provides them protection from lawsuits or claims alleging that the products failed to prevent an attack.
Overall, comments from the security community on the matter have been less than favorable. It's understood that most of the backlash centers on the fact that liability protections under the act afforded to FireEye customers aren't exactly clear; and in some cases look as if they're rewarding organizations for check-box security initiatives, which often do more harm than good.
Moreover, the backlash has also centered on regulatory capture and the fact that FireEye is the only pure InfoSec vendor to see certification and designation under the act as a Qualified Anti-Terrorism Technology (QATT) and certified as an approved product for Homeland Security.
As mentioned yesterday, such an award is viewed as a move that could stifle innovation and competition in the security industry. Yet, while FireEye is currently the only pure-InfoSec vendor on the SAFETY Act list, Salted Hash has heard from two other vendors who are considering it. Both declined to comment for this article.
Customers using FireEye's Multi-Vector Virtual Execution engine and Dynamic Threat Intelligence platform will see "potential savings on both insurance and legal expenses" due to the protections afforded by the SAFETY Act, FireEye's CEO, Dave DeWalt said in a recent earnings call.
One security expert, speaking about the liability protections offered to buyers, noted that they've "yet to be tested in court."
"Testing the SAFETY Act in court will be like testing cyber insurance in court. In fact most insurance cases that have gone to court haven't fared well. There are some real questions surrounding this program and the liabilities it can actually provide."
For example, when it comes to the attacks that would trigger SAFETY Act protections, how does one speak to intent?
Do the attacks in question have to be terrorism as the public understands it or as the SAFETY Act defines it? Do nation-state attacks count, if so how exactly? Does the organization get the liability protection from a single product or does their whole security program need to have SAFETY Act products?
These questions remain unanswered, and many of them will only see answers after a judge as made a decision.
Another question asked by readers this week centers on configuration changes and installation procedures. Salted Hash looked to FireEye's outside counsel, Brian Finch, for answers.
Q: What happens to the liability if [the customer doesn't] implement or configure the product correctly? Do they lose the liability? If FireEye does all that for them, but they later change something, creating a state that leaves them vulnerable, but not a state that a FireEye engineer would have caused, does that mean they lose their liability protection?
Sign up for CIO Asia eNewsletters.