|
|
|
|
|
|
by zmanian
3895 days ago
|
|
|
I could bug Marcy for an answer. I will do totally inadequate job of defending her analysis compared to her. It seems relatively simple to read this passage in the following way: Let's say a major car company decided to leave open a port with a remote code execution vulnerability on their cars. Let's say this car company discovered this port was being exploited and informs the NSA of affected vehicles IMEI numbers, IP addresses etc. Now let's say FTC/NTSB wanted to put together a case for punishing the car manufacturer for their poor security operations. It seems perfectly reasonable for a lawyer to read the passage from CISA and claim the court couldn't use any disclosure to the government under like the number of affected vehicles(easily calculated from the threat information previously shared) in any determination of liability. |
|
|
If there's an authority under which Chrysler can be prosecuted for having vulnerabilities (spoiler: I don't believe there is), CISA doesn't change any of that. Certainly, there's no clear linkage between CISA sharing and a private actor's ability to sue Chrysler for torts emerging from vulnerabilities.
I don't even think there's a stretch reading of the statute that gets you where this blog post lands.