FireEye customers get liability shield thanks to SAFETY Act

Last week, the Department of Homeland Security (DHS) certified FireEye under the SAFETY Act, providing their customers protection from lawsuits or claims alleging that the products failed to prevent an act of cyber-terrorism.

The news of the certification was reported by FireEye in a press release, and stipulates that FireEye’s Multi-Vector Virtual Execution engine and Dynamic Threat Intelligence platform are the two products now on the SAFETY Act approved technologies list.

For anyone not familiar with what SAFETY Act is – the overall aim is to make sure that an act of terrorism doesn’t (as stated by the DHS) “deter manufacturers or sellers of anti-terrorism technologies from developing, commercializing, and deploying technologies that could save lives.”

“FireEye is proud to earn this first-ever SAFETY Act certification in the cybersecurity space, bringing a new level of liability protection for our customers,” said FireEye CEO David DeWalt in a statement.

“This certification validates our position as the leader in the advanced cybersecurity market, and is further evidence that our visionary work continues to represent the cutting edge of cyber defense.”

DHS says that FireEye’s certification and designation will expire on April 30, 2020.

The DHS awards have done two things for FireEye. First their products have been designated as a Qualified Anti-Terrorism Technology (QATT) and certified as an approved product for Homeland Security, meaning FireEye and their customers are now eligible for protection under Government Contractor Defense, shielding them from third-party claims should the QATT fail to prevent acts of terrorism.

“The successful assertion of this defense eliminates liability on the part of the Seller for such claims. Designation is a prerequisite for Certification,” the DHS explains in an FAQ.

In a conversation with Salted Hash, Adrian Sanabria, Senior Security Analyst at 451 Research, offered some additional insight:

“Designation requires a demonstration of effectiveness and in return receives a liability cap and all sorts of legal protections, [and it lasts five years.] This suggests that some sort of methodology or proof was provided to show that FireEye’s technologies are effective. I’d be very interested to see what those look like.

“The core of this is something we’ve been debating for a while: the definition of terrorism, and whether or not it can apply to cyber-stuffs. The end result looks like a legal get-out-of-jail-free card for businesses that use FireEye, but for that to actually happen, it seems like we’d need a computer-related incident or breach to actually be declared an official ‘Act of Terrorism’ by the US government.”

Thursday evening, many security experts expressed a mix of confusion and anger towards FireEye’s recent advancement. Not because they dislike the company (though many do have a love / hate relationship with them), but because of the larger reach such certifications and designations have for the security industry.

One expert, Scot Terban (@Krypt3ia), said the idea of liability – simply for owning FireEye products – is “kind of crazy.”

“So as I read it, they are not the only company on this list but the idea, in and of itself, is kind of crazy. To say that if you have FireEye as a service on your network/endpoints etc. [means] that you are protected from legal action in the case of “Terrorism” is just incredible. This, I think, if retroactive, would cover a company [facing an incident like the one at Anthem] would it not? Then it just becomes getting the action or the actors marked as terrorists and you’re done.”

Another expert, who asked not to be named due to work constraints on speaking to the media, had a different reaction to the DHS certification / designation given to FireEye.

“I think it is a horrible evolution for our industry. Companies that profit from regulatory capture have no incentive to innovate and suffocate every other organization trying to innovate through an unfair advantage. It is, in a sense, government-backed monopolization.

“We used to have common criteria which was extremely expensive for organizations to obtain. Now we see organizations moving their budgets to lobbyists wining and dining unknowledgeable legislators into making their products required by law. It’s a very sad day for our industry.”

The term regulatory capture hasn’t been used much by the security industry, but it certainly applies in some cases.

Regulatory capture is when a regulatory agency advances the causes of commercial or special interest groups, instead of working in the public’s best interest when it comes to the sector or industry they’re supposed to be regulating.

Current cases include the debate over “fracking” and the EPA, or the FAA allowing Southwest Airlines to fly planes long after they were supposed to have had maintenance inspections, because inspector supervisors were friendly with the airline.

On Twitter, noted security expert Wim Remes, shared a blog post he made in 2012 on the topic. In the post, he explains the concept of regulatory capture as it pertains to the security industry – and Mandiant (now owned by FireEye) was his example.

After dissecting Richard Bejtlich’s (CSO of Mandiant) comments to Congress, Remes commented:

“This, my friends, is a textbook example of attempted regulatory capture. We have seen innovation in our industry stall by regulatory requirements in the past years. So much that the technologies that thrive are those that accommodate a particular compliance use case. While the positive effect for the commercial entity involved is obvious, the negative effect on the profession (and the entities that are subject to the legislation) are immense.”

It isn’t clear how the DHS certification / designation of FireEye will impact the security industry or their customers. However, during an earnings call, DeWalt made his thoughts clear:

“Beyond the endorsement of our technology by the Department of Homeland Security, this certification represents a huge benefit for our global enterprise customers in potential savings on both insurance and legal expenses.”

Feel free comment below with your thoughts on the matter, or email them directly. If emailed, please state if you’d like to keep them off record.