Editor’s Note: The following is a brief excerpt from a peer reviewed publication. The complete article is attached here.
From: THE TALLINN PAPERS/NATO CCD COE
by Liis Vihul, Researcher, NATO Cooperative Cyber Defence Centre of Excellence
By contrast, if penetration testing was a legal requirement, and an end-user suffered harm as a result of the manufacturer’s failure to comply with the norm, the manufacturer would be liable for the resulting loss. Of course, any such approach must be informed by technological and economic reality, and therefore requires careful consideration prior to adoption. But setting specific obligations out in legislation, as opposed to basing them only on industry initiative and thus leaving compliance subject only to industry scrutiny, would also open the door to administrative oversight by the State, and allow for appropriate sanctions in the case of noncompliance. The State, as opposed to individual end-users, is a much more powerful and effective guarantor of national cyber security than end-users, who are primarily concerned with the functionality of software programs in support of their everyday activities.