21 Jan The Solar Winds Hack Crisis Lays Bare a Software Contracting Problem
January, 2021. The U.S. Government and major U.S. corporations are still figuring out the extent of the intrusion by Russian hackers into their systems through the Solar Winds software hack. The SVA cyber-spook agency of the Russian government injected malware into an automatic code update of the Solar Winds computer security software product that apparently was downloaded and installed by its breadth of clientele. Computer security software can introduce elevated system security risk given that by its nature it typically requires system administrative privileges and has to operate within the perimeter of the network firewall. One would expect that the vendor hold the risk of such a potential single point of failure for system security except in unique circumstances.
In the EULA we reviewed, Solar Winds’ license both disclaims warranty and caps the indemnity: the software is provided “as-is” except for a limited warranty that carves out “software that is modified or altered by… any third party that is not authorized by Solar Winds…” Presumably that includes the Russian hackers. Solar Winds’ liability is also capped at 12 months license fees. The Solar Winds license does not have any representation or warranty that the software will be free of any malware. The bottom line is that software vendors and software customers need to consider proper allocation of the hack risk —regardless of the impact on the project timeline. According to the document we found, Solar Winds’ customers are holding the bag.
#solarwinds #Dataprivacy #softwarelicense #malware #IPlaw