Note: This post is an update / follow-up to the original story, which is located here.
On Friday, Salted Hash explored the announcement from FireEye that their customers now have a liability shield due to being certified by the Department of Homeland Security (DHS) under the SAFETY Act.
FireEye says that customers using their Multi-Vector Virtual Execution engine and Dynamic Threat Intelligence platform will see "potential savings on both insurance and legal expenses" due to the protections afforded by the SAFETY Act, which will last until April 30, 2020.
Giving FireEye certification and designation under the SAFETY Act means their products are classified as a Qualified Anti-Terrorism Technology (QATT) and certified as an approved product for Homeland Security.
For agencies looking for cybersecurity products, they now have a vendor on the approved list that they can turn to. But in some circumstances FireEye will be the only vendor they can choose.
DHS says that the SAFETY Act is there to "ensure that the threat of liability does not deter manufacturers or sellers of anti-terrorism technologies from developing, commercializing, and deploying technologies that could save lives."
After the original story broke, several security experts had a lengthily debate online, arguing both sides of the issue – but the cons outweighed the pros when it came to FireEye's move, especially where regulatory capture was concerned (again, see the original article).
One argument made was that FireEye's certification would make it hard to convince executives not to purchase FireEye products in the event that such a purchase wouldn't be a solid fit for the organization. Moreover, there is a concern that the certification and designation would stifle innovation and competition.
There's also the concern that security firms would shift funds towards lobbying and gaining certification under the SAFETY Act, rather than dedicate those funds towards R&D.
There's a downside to using the SAFETY Act as a sales tool though. As the number of pure InfoSec vendors on the SAFETY Act list grows – FireEye is the only one currently – this list could become an actual "hit list" for bad actors.
"If someone were to be plotting some form of cyber-terrorism, they could be certain that the targets they were going after would run the certified software. Default settings and any vulnerabilities that could be found would be targeted for exploitation," one reader commented via email.
Other experts questioned the certification process, and what happens to it when FireEye updates their products. Speaking to Salted Hash, FireEye's outside counsel, Brian Finch, addressed some of those concerns.
The SAFETY Act, Finch explained, in many ways operates like a legal brief to a court. On the application packet issued by the Department of Homeland Security, a company defines exactly what product and/or service it would like to have considered for liability protections.
As best as Salted Hash can tell, this application isn't publicly available. Searches of the SAFETY Act website lead to muddled presentations, vague explanations and listings for lawyers, but no application.
When asked if they could produce their own application, even in redacted form, Finch doubted that FireEye's general counsel would allow that as it couldn't be redacted and there are "a number of attorney / client and DHS granted confidentiality privileges that could be waived by virtue of sharing it."
During the application process, once the product or service is properly defined, the applicant is then responsible for describing how it was created.
After that, the applicant must outline the process used to make sure product or service matches the intended objectives; the process for deploying, installing, operating, and maintaining it; offer metrics that will be used to determine whether product or service is operating effectively and properly once deployed; and measures used to provide for a "continuous improvement process."
The following are some additional notes Finch added:
- DHS also reviews the “human” element as well, meaning that they examine the qualifications of the personnel working on the products or are involved in its deployment. They do so to ensure that they have the proper qualifications and education, and also that they have proper training (including ongoing training).
- DHS takes in all this information, and over a 120 day period (during which they typically ask for more detailed information about the product or service) they determine whether the application subject matter is “useful” and “effective” in deterring, defeating, responding to, mitigating, or otherwise combating security threats like cyber or terrorist attacks.
- If the answer is “yes” to those questions, DHS will either provide a cap on liability (known as a “Designation”) or a presumption of immunity (known as “Certification”). FireEye in this case received the Certification.
- Certification is typically awarded only when a product or service has been deployed for at least 18 to 24 months, and during that time it has demonstrated that it works and works reliably in the field.