Every month some lawyer or vendor sends me a contract to review that includes the wonderful notion that getting hacked is something beyond their control and that if an evil hacker were to kick in the front door I should be so kind as to let them out of all the contractual stuff they promised (like uptime, keeping my data safe and general value for money).
Most of the time I see the words “attacked by”, “hacker” and “security breach” in or near a common contract clause called Force Majeure (sometimes they mention viruses too). Force Majeure is a fun little set of words gifted to us by the French and refers to things that are outside of our control (like war, natural disasters, riots, crime). When the Force Majeure clause is invoked, those bound by the contract are effectively released from their obligations. So if the data center your application service provider uses gets hit by a nuke or a flood, too bad for you as they don’t have to provide the service anymore, and that early end to the contract is penalty free.
The thinking behind Force Majeure is really a risk based approach that allows service providers to deliver a service without having to build in expensive contingencies to guard against high impact, low likelihood events (that sounds almost security minded). My problem is that apparently lawyers and the businesses they represent seem to think getting hacked is a rare event that should be covered under this clause.
To which I say: getting hacked is not rare, it isn’t unavoidable and shouldn’t be part of or near the Force Majeure clause. Many, if not most, hacks are not the doing of some elite cyber warrior – they’re done by a script kiddie using someone else’s wares that only work because patches weren’t deployed, configs weren’t hardened or perhaps bad coding practices were rampant. Look at Sony with outdated Apache web servers; look at Stuxnet with unpatched vulnerabilities in the industrial automation; even the Comodo CA breach smells of amateur hour.
We have so many tools to help us make systems less susceptible to attack by attending to basic hygiene - from automated patching to full disclosure lists and initiatives such as OWASP, never mind the stuff you pay lots of money for from hundreds of vendors. Granted, sometimes a business decision is made not to follow good security practices – maybe its limited resources, budget constraints or a lack of skill – but don’t you dare say your weak security getting hacked was something outside of your control. Either through ignorance or an explicit choice you accepted a risk. The plethora of tools, the abundance of knowledge, the existence of many experts and your ability (or inability) to make business decisions makes much of the badness that could happen to you completely avoidable; so you cannot reasonably claim that getting hacked is a Force Majeure event, that this was something beyond your control.
As always, there is an exception. Let’s say the vendor did a risk assessment; implemented all the practices, processes and technology their trusty consultant recommended and made themselves as reasonably secure as they could (and maintain that posture through audits and periodic improvements). Maybe they’re that unlucky bunch that happened to cross paths with the elite – a creator of zero day exploits – and they get completely and utterly owned. That is the one time we can sympathise with their bad luck (and ours); if it is clear that they took reasonable measures to protect themselves (which unfortunately failed in some non-systemic way). At this point we can all agree it was outside of their control and therefore Force Majeure applies.
If you’re a vendor selling a service, get clear on what reasonable security means and tell your customers – that way you can fairly carve out protections for the rare events, those which you truly can’t protect against. If you’re buying a service and the vendor tries to bundle getting hacked under Force Majeure, you have a right (and a responsibility) to push back – either refuse it or put strict limitations around it. Being negligent at security should not give anyone the right to invoke a get-out-of-jail-free card.
TL;DR hackers aren’t forces of nature, many breaches could have been stopped by some basic security hygiene and service providers don’t deserve an easy out from your business contract if they got hacked because they didn’t do the basics.
minor edit: removed a repeated word