Liability isn't going to work as a way of handling malicious attacks. If the culprit is caught, and lives in a place with a reasonable government, prosecution would be a better way to address it, because if it is an individual they aren't going to have assets to cover the damages. If it's a state actor then liability isn't going to do anything as the state involved will deny any association with the attack team and ignore court awards for damages coming from other countries.
> If the culprit is caught, and lives in a place with a reasonable government, prosecution would be a better way to address it
By "lives in a place with a reasonable government" I guess you are talking about somewhere that will act at the behest of the US government and prosecute on their behalf?
Because that's nothing like as simple as you might imagine (for very good reasons).
Source: Kim Dot Com lives down the road here and it is proving to be extremely challenging (and very expensive to us tax payers) to bring him to US justice.
An attack like XZ wouldn't just harm the US. A prosecution wouldn't have to be "at the behest of the US government".
Kim Dotcom could pretend that his business was legit (just a file sharing service) so he could drag out the court battles. Someone trying to sneak attack code into widely used software would have no such defense.
