Cybersecurity's Original Sin Executive Summary
An Executive summary of the 4 part Cybersecurity's Original Sin series (5/28/2026)
Author’s note
The arguments in this series are made from inside the institutions that have lived with these problems, not from outside them. Randy Marchany joined the SANS Institute in 1992 as one of its original instructors. He is instructor #2, the longest-running instructor in SANS history and is the first-listed of 42 co-authors of the SANS Top 10 Internet Threats (Version 1.10, published in the ISACA Information Systems Control Journal, Volume 4, June 1, 2000). This document originated from a February 15, 2000 White House meeting with President Clinton on critical infrastructure protection, co-authored by practitioners from NSA, DoD, CERT/CC, MITRE, Network Associates, Internet Security Systems, Counterpane Internet Security (Bruce Schneier), Foundstone, Purdue University CERIAS (Gene Spafford), UC Davis, Carnegie Mellon University, and Boston University. That document evolved into the SANS/FBI Top 10 Internet Threats and subsequently the SANS/FBI Top 20 Internet Threats. These documents were subsequently incorporated into the formal vulnerability classification infrastructure through the CWE/SANS Top 25 collaboration with MITRE. He also co-authored the SANS Consensus Roadmap for Defeating DDoS Attacks and the SANS Incident Handling Step by Step guide. In 1996, he and Tom Wilson presented a paper at the SANS International Network Security Conference in Washington, DC demonstrating how a keystroke recorder could be packaged in an email attachment and executed without detection. This was the original attack chain that phishing campaigns exploit today. He has been Virginia Tech’s Chief Information Security Officer since 2010 and has held IT security responsibilities there since 1991, when one of his own systems was hacked -- an incident detailed in the book At Large: The Strange Case of the World’s Biggest Internet Invasion.
His institutional contributions to the standards and frameworks this series examines include: founding volunteer of the Center for Internet Security; producer and tester of the original CIS Unix and Windows security benchmarks; co-author of CIS Security Controls version 8, which Virginia Tech has deployed as its minimum security standard at Implementation Group 2 level; and co-holder of three cybersecurity patents, including MT6D (Moving Target IPv6 Defense), tested on a live Virginia Tech network and extended to IoT and smart grid environments. He was among the first practitioners to feed firewall data to the DShield project that became the Internet Storm Center. He co-founded VASCAN and the Virginia Cyber Range, and was a founding member and curriculum developer for the US Cyber Challenge.
The series draws on fifty years at one institution, thirty-five years in cybersecurity, more than 3,000 students taught, fourteen PhD students mentored, over forty publications, and NSA Center of Academic Excellence designations in Cyber Defense, Cybersecurity Research, and Cybersecurity Operations. The methodology of the series is practitioner analysis grounded in longitudinal data. The author is a primary source for much of what this series describes, not an outside analyst. That standing is the basis for the argument and the basis on which it should be evaluated.
The Virginia Tech IT Security Office he led was ranked among the top 50 information security teams globally by OnCon in 2025. He has written or co-authored over 40 papers and articles on cybersecurity and his publications span peer-reviewed journals, conference proceedings, and practitioner-focused guides, bridging the gap between academic research and practical implementation. He’s won numerous awards including the 2025 OnCon Top 10 CISO Award, the CISO Connect Top 10 CISO Award 2025, and the CISO Connect Top 100 CISO Award 2026. He retires from Virginia Tech in July 2026 after fifty years of service.
Core Argument
In 2001, the SANS Institute published a landmark list of the ten most common cybersecurity mistakes made by individuals and organizations. Twenty-five years later, nine of those ten problems remain largely unsolved. This is not a technical mystery or a resource problem. It is the predictable result of three interlocking failures:
• A broken economic incentive structure that shifts the cost of insecurity onto victims rather than those best positioned to fix it.
• A legal framework built around End User License Agreements (EULAs) that systematically shield software vendors from liability for insecure products.
• An industry that has found it more profitable to treat symptoms than to cure the underlying diseases.
The cybersecurity industry is more analogous to a pharmaceutical industry that profits from managing chronic conditions than to the sanitation industry, which profits from eliminating disease vectors. Root-cause solutions commoditize or destroy adjacent revenue streams.
Part 1 — The EULA as a Liability Shield
As software became critical infrastructure, the industry faced a choice: accept infrastructure-grade liability (as manufacturers of aircraft, pharmaceuticals, and automobiles do), or construct a legal argument for categorical exemption. It chose the latter — deliberately.
The ‘AS-IS’ Fiction
Virtually every EULA contains a clause disclaiming all warranties. This single legal device, replicated across hundreds of thousands of products, effectively neutralizes every item on the SANS Top 10. The argument rested on four pillars:
The intangibility defense. Product liability doctrine, as developed under the Restatement (Second and Third) of Torts, applies to products — tangible goods. Courts have struggled to classify pure software as a product in this sense, frequently treating software failures as service defects rather than manufacturing defects. The software industry did not create this doctrinal ambiguity; it exploited it systematically, embedding it in every license agreement written. The EU Cyber Resilience Act addresses this directly by treating software with digital elements as a product with mandatory safety obligations regardless of delivery medium.
The AS-IS warranty disclaimer. UCC § 2-316 permits disclaimer of implied merchantability with conspicuous ‘as-is’ language. What makes this warrant policy attention for software is that standard commercial risk allocation mechanisms, when applied to products deployed as public infrastructure, place consequences on third parties who had no role in the contract negotiation and agreed to nothing.
The advisory patch norm. Security advisories are legally non-binding recommendations. A vendor who discloses a defect and issues a patch bears no liability for harm caused during the remediation window. Equifax (2017): patch available two months before exploitation; software vendor liability zero. CISA’s KEV mandatory remediation timelines are the first binding counterweight.
Compliance as accountability substitute. PCI-DSS, HIPAA, SOX, and ISO 27001 mandated control presence, not security outcomes. Compliance became the goal; security became incidental. Vendors benefited from mandatory procurement cycles that did not require root-cause remediation.
The result was a complete inversion of normal manufacturer-consumer liability. A car manufacturer who ships faulty brakes faces recalls and civil liability. For example, a software vendor who ships code with buffer overflow vulnerabilities, a defect class fully understood since the 1970s, faces no equivalent obligation.
SANS Top 10 Status — 25 Years On
The Equifax breach of 2017 — which exposed 147 million people’s data via an unpatched Apache Struts vulnerability for which a fix had been available for two months — exemplifies the system at work. Equifax paid a settlement. No software vendor faced any liability whatsoever.
Part 2 — The Economics of Insecurity
The EULA shield did not merely protect vendors from lawsuits. It allowed an entire secondary industry to be built on top of the resulting insecurity. Every unpatched system is a market for a patch management platform. Every misconfigured firewall is a market for a configuration auditing tool. Every phishing attack is a market for security awareness training.
Security as a Premium Feature
This incentive model expanded into the deliberate practice of selling security capabilities as paid add-ons to an insecure base product. Advanced logging, privileged access management, multi-factor authentication enforcement, and threat detection have historically been available only in enterprise-tier licenses — priced beyond smaller organizations. The organizations least able to absorb a breach are precisely those denied access to the tools that could prevent one.
Microsoft’s 2023 decision to expand default logging access — only after Congressional pressure following the Storm-0558 breach — illustrates the mechanism: security features are withheld until external pressure forces them out of the premium tier.
The Compliance Illusion
The rise of compliance frameworks (PCI-DSS, HIPAA, SOX, ISO 27001, SOC 2) created what appeared to be accountability but in practice substituted for security. Organizations could satisfy audits by demonstrating the presence of controls — without those controls being effective. Compliance became the goal; security became incidental.
Compliance frameworks never required that root-cause problems be fixed — only that compensating controls be installed around them. A web application firewall counts for PCI compliance whether or not the underlying application has SQL injection vulnerabilities.
Part 3 — Operational Technology: The End of Outsourced Risk
Every structural argument for vendor immunity — the EULA shield, the compliance illusion, the perverse economics — rests on a single enabling condition: that the harm caused by insecure software can be successfully shifted to the user. Operational Technology (OT) destroys that condition.
When insecure software controls a water treatment plant, power grid, hospital, or pipeline, the harm it enables is no longer a data record on a dark web marketplace. It is a city without power, a patient who cannot receive surgery, or drinking water laced with caustic lye. Physical harm is very difficult to disclaim in a EULA.
Key OT Incidents
• Stuxnet (2010): A worm destroyed roughly 20% of Iran’s uranium enrichment capacity by targeting industrial PLCs — proving that software could cause deliberate physical destruction and that air-gaps were not a security guarantee.
• Ukraine Power Grid (2015–16): Attackers cut power to 230,000 customers in winter after months of reconnaissance via spear-phishing. A follow-up attack attempted permanent physical damage to substation equipment.
• TRITON/TRISIS (2017): Attackers targeted a petrochemical plant’s Safety Instrumented System — the last line of defense against explosions — with the intent of engineering a mass-casualty event. Only a programming error in the malware triggered a safety shutdown, revealing the intrusion.
• Colonial Pipeline (2021): Ransomware via a leaked password on an unmonitored legacy VPN account shut down fuel supply to 45% of the US East Coast, triggering a national emergency and the first binding TSA security directives for pipeline operators.
• Oldsmar Water Treatment (2021): An attacker remotely increased sodium hydroxide levels in drinking water to 111 times the normal amount. Every condition that enabled the attack appeared on the SANS Top 10 list from 2001.
Why OT Changes the Legal Calculus
OT attacks dismantle the industry’s core defenses simultaneously:
• The ‘no physical harm’ defense collapses — EULA clauses cannot disclaim bodily injury or large-scale physical destruction.
• The ‘user error’ reclassification fails — when a utility operator follows documented procedure and is exploited via a vendor-chosen default credential, the vendor cannot credibly assign blame.
• The victim class becomes sympathetic and visible — 15,000 people nearly poisoned, 230,000 without power in winter, or national fuel shortages generate congressional hearings and presidential statements.
• The causal chain becomes legally traceable — in a SCADA attack, the link from unpatched firmware to physical damage is often direct and incontrovertible.
The EU’s Cyber Resilience Act (CRA), which entered into force December 2024 with main obligations applying from December 2027, is the first binding operationalization of this shift. For the first time, manufacturers must ship products in secure-by-default configurations, maintain vulnerability handling processes, and cannot disclaim these obligations via EULA. Penalties reach up to €15 million or 2.5% of global annual turnover.
OT did not create a new legal theory. It destroyed the industry’s last credible argument for why the existing theory should not apply — and the liability principles it exposed extend with equal logical force to enterprise software, cloud platforms, and consumer IT.
Part 4 — The Path Forward
The path forward requires three coordinated legal tracks operating simultaneously. These are not alternatives. They are components of a coherent accountability framework, each routing around the economic loss rule on a different vector.
Track One: Federal Regulatory Mandate
Modeled on the National Traffic and Motor Vehicle Safety Act (1966). Mandatory cybersecurity standards as conditions of market access in covered sectors, enforced by CISA. This is regulatory compliance not tort. The economic loss rule does not apply. The operative mechanism is vendor self-attestation with legal consequence not government pre-market certification. A vendor completes a standardized security questionnaire (HECVAT, SOC 2 Type II, CMMC) as a condition of sale; the buyer evaluates the attestation; false attestation triggers fraud in the inducement commercially or FCA liability in federal funding contexts. This model already operates at scale in higher education through HECVAT.
Track Two: False Claims Act
No new legislation required. Available now against any vendor making false cybersecurity compliance certifications under federal contracts or research funding. Mental state required: reckless disregard not intentional fraud. No breach needs to occur. The false certification is the violation. Six Civil Cyber-Fraud Initiative settlements through 2025: Penn State ($1.25M), Georgia Tech ($875K), Raytheon/Nightwing ($8.5M), Illumina ($9.8M) establish enforcement precedent under existing law.
Candid acknowledgment: every Civil Cyber-Fraud Initiative settlement to date has been resolved before a court ruled on the merits. The FCA cybersecurity theory has been validated by enforcement pressure and settlement behavior, not by judicial precedent. The theory is strong. It is not yet tested by a court that has ruled in the government’s favor on the contested legal questions.
Track Three: State Tort: Physical Harm Cases Only
The economic loss rule bars recovery for purely financial harm but not for physical harm to persons. Track Three is scoped exclusively to OT incidents where insecure software caused physical harm. The rebuttable presumption approach which states if physical harm occurs in connection with an OT system that shipped with SANS Top 10 defects documented as dangerous at time of sale, the defect is presumed to have caused or contributed to the harm, can be adopted by courts on their own authority without new legislation.
For all three tracks, AI-augmented scanning is narrowing the ‘we didn’t know’ defense. Rob T. Lee, Director of Research for the SANS Institute, documented that Anthropic and approximately 50 partners found more than 10,000 high- or critical-severity vulnerabilities in the first month of Project Glasswing. The 9-27 day human remediation pipeline (Figure 5.4.1, Penligent.ai) explains why the discovery-to-patch gap is structural rather than indicative of unactionable output. A vendor who attests to security posture without deploying available scanning has made that attestation with reckless disregard for its accuracy.
Conclusion
The SANS Top 10 list of 2001 is not a monument to the difficulty of cybersecurity. It is a monument to the success of a legal and economic strategy that made insecurity profitable and consequence-free for the parties best positioned to fix it.
The legal framework is specified and workable. The three tracks route around the economic loss rule. The FCA enforcement record is real. The OT physical harm argument is the most legally durable version of software liability available. Whether this argument produces reform depends on political execution, coalition building, secondary pressure through cyber insurers, state AGs, institutional investors, foreign regulators, and the plaintiff’s bar and on the existence of a coordinating organization that does not yet exist. The argument is ready. The campaign requires sustained organizational effort across a realistic decade-long timeline.
The most important structural difference from prior reform rounds is that change is no longer waiting for legislation. The EU Cyber Resilience Act is forcing product redesign regardless of U.S. legislative outcomes. U.S. procurement requirements are adopting parallel standards through executive action. Cyber insurers are beginning to price vendor design risk through actuarial analysis rather than political negotiation. FCA settlements are expanding the deterrence profile annually. OT physical harm cases are approaching U.S. courts. A major cyber-physical incident will occur. When it does, Congress will not be deciding whether to change the accountability structure. It will be deciding whether to codify the change that has already occurred. The reform campaign’s goal is not to force that change. It is to ensure that the change already underway produces systematic vulnerability-class elimination rather than incident-by-incident reaction and that the legal and organizational infrastructure exists to use the congressional moment when it arrives.
The most consequential exploits of the past twenty-five years were not executed in terminal windows. They were drafted by lawyers, ratified by courts, and embedded in license agreements that nobody reads. Changing that is a political project as much as a legal one.
Source
Randy Marchany, ‘Cybersecurity’s Original Sin’ (Parts 1–4), vtrandy.substack.com, March–April 2026. Randy Marchany is a co-author of the original SANS 2001 Top 10 list.
