Joe Biden’s cybersecurity strategy calls for software liability tighter. Over the past few decades, cybersecurity has been a largely voluntary affair. Costs of credit monitoring and lawsuits have motivated business owners to secure data, but no laws or regulations have been imposed.
The Biden Administration’s new national cyber strategy seeks to change that. A key objective is to impose minimum security requirements on critical infrastructure sectors and expose software companies to liability.
Liability shifts to software vendors
The federal government’s new cybersecurity strategy seeks to shift liability from companies that fail to protect their data and customers from hacks and other cyberattacks to the software makers themselves. That move could have a huge effect on the industry. Many experts are warning that exposing software vendors to liability could put a serious crimp on innovation and drive up the cost of computer security products for businesses.
A large number of successful cyberattacks involve exploitation of vulnerabilities or flaws in software. These vulnerabilities often go undiscovered or undetected by cybersecurity staff until it’s too late and a breach occurs. This can result in a loss of intellectual property, personal information, brand damage and financial losses for the company that was the victim of the breach. The new strategy seeks to address this issue by calling for legislation requiring companies that produce or deliver software to be held liable for any breaches caused by their products.
The strategy seeks to achieve this by working with Congress and the private sector to develop legislation that establishes liability for software producers and providers. It also aims to shape standards of care for secure software development and create an adaptable safe harbor framework that would shield companies that meet these standards from liability.
While these objectives may sound reasonable, they are likely to be met with fierce opposition from those who oppose exposing software makers to liability. In addition, any such legislation will have to be carefully drafted and designed. It is important that the government weigh the trade-offs before imposing such regulations.
Another objective of the new strategy aims to enhance coordination between public and private sectors in response to cyberattacks. This includes improving communication between the various agencies involved in responding to a cyberattack and increasing the speed of intelligence sharing.
It also calls for the creation of a national cyber office to coordinate these efforts. The office will be led by a new coordinator and a new assistant secretary to oversee its operations. The office will work to strengthen the defenses of critical infrastructure and provide for the rapid reaction to cyberattacks and data breaches.
In the long term, the Biden administration wants to impose mandatory cybersecurity requirements on all organizations that operate critical infrastructure. This includes energy, banking, telecommunications and emergency management services. In areas where it cannot impose this requirement via executive order, it will seek Congressional authorization to do so.
Other elements of the new strategy include a call for increased penalties and direct action against hackers who target U.S. companies and citizens, such as retaliatory attacks against the networks of malicious actors that launch cyberattacks. It also seeks to use all aspects of national power, including diplomatic, military, intelligence and financial capabilities, to disrupt adversaries’ cyber operations. A third pillar of the strategy is focused on building international coalitions to share cyber threat information. This will help to build a vision for internet governance that promotes trusted data flows, respects privacy and supports human rights.
Shifting liability to software vendors
After a series of high-profile cyberattacks — including ransomware strikes against schools, hospitals and critical infrastructure companies – the Biden administration is stepping up pressure on software makers to make sure their products are secure. Its national cybersecurity strategy released Thursday includes a proposal to limit the ability of companies to disclaim liability for software flaws by requiring them to use best security practices. That’s a major shift for an industry that’s long been able to escape liability by relying on contract protections.
In addition to calling on federal agencies to set minimum security standards, the new strategy outlines steps to strengthen critical infrastructure cybersecurity, disrupt and dismantle threat actors and shape market forces to promote security and resilience. It also lays out an ambitious 10-year plan to shift the burden of securing software from end users to the technology companies that produce it.
It’s a big policy initiative, but it faces a number of significant hurdles. First, if the administration is serious about putting pressure on software makers, it will have to develop and pass legislation to do so. That could take years, and a divided Congress will likely be reluctant to empower the White House to sue software firms.
A more realistic approach might be for the government to take initial action where it can without Congressional input, such as pushing for stronger security requirements in federal procurement regulations. But ultimately, the plan to put software vendors on the hook for system insecurities will have to be addressed by Congress and the private sector.
For many, the key question is whether Congress will take up the issue at all. A bill that would make software makers liable for the consequences of using their flawed programs would face tough opposition from both Republicans and Democrats, not to mention the thorny technical questions it raises.
The strategy aims to get the ball rolling by limiting software makers’ ability to disclaim liability through end-user licensing agreements that few read and that aren’t easily updated. The administration also seeks to give businesses economic incentives to make security part of the software development process rather than leaving it up to individual users to ensure they’re protected by default.
In the healthcare sector, where the AHA and HITRUST have backed the plan, the industry is optimistic about the strategy’s potential to create security incentives for software developers. But it’s a far cry from the type of comprehensive law that will be needed to combat the rising threats against hospitals, schools and other critical infrastructure.
As the nation’s infrastructure increasingly relies on software, the stakes have never been higher. If the strategy succeeds in shifting the responsibility for securing that software from consumers to tech companies, it could significantly improve America’s defenses against the threat landscape we currently face. But the thorny issues aren’t going away anytime soon. To succeed, any new legislation to hold software makers liable will need to be a multiyear project with help from both Congress and the industry. The next few years will be a crucial testing period for the Biden administration’s vision of a more secure digital economy.
