U.S. Targets Firms on Cyber Risk --- Administration wants software developers liable for products that lack protections

"WASHINGTON -- The Biden administration said it would pursue laws to establish liability for software companies that sell technology that lacks cybersecurity protections, concluding that market forces alone aren't sufficient to guard consumers and the nation.

Free markets and a reliance on voluntary security frameworks have imposed "inadequate costs" on companies that offer insecure products or services, according to a national cybersecurity strategy released Thursday. It says the administration would work with Congress and the private sector to create liability for software vendors, sketching out in broad terms what such legislation should entail.

"We must begin to shift the liability onto those entities that fail to take reasonable precautions to secure their software while recognizing that even the most advanced software security programs cannot prevent all vulnerabilities," says the 35-page strategy, an interagency product that was written by the office of the national cyber director, which is part of the executive office of the president. Thursday's strategy also advocates developing a more expansive framework of cybersecurity regulations to protect the nation's critical infrastructure -- a categorization that includes energy operators, hospitals and banks, among others.

Any legislation supported by the administration should prevent software makers from avoiding liability by contract and create higher standards for software in specific high-risk situations, the strategy says. The administration would work to develop an evolving safe harbor framework -- borrowing from current best practices for secure software -- to shield companies from liability, it adds.

Such a push on software liability, if successful, would pivot national cybersecurity policy in the U.S. after several Democratic and Republican administrations favored an approach that largely relied on software vendors and other businesses to voluntarily manage their own cybersecurity. President Biden, in a signed cover letter, said the strategy "takes on the systemic challenge that too much of the responsibility for cybersecurity has fallen on individual users and small organizations."

Major software companies "can and should shoulder a bigger share of the cyber risk," Kemba Walden, acting national cyber director, said during a media briefing. Hacks of widely used software can be devastating and far reaching, officials and experts have said, such as an alleged Chinese cyberattack on Microsoft email software in 2021 that rendered hundreds of thousands of mostly small businesses and organizations vulnerable to intrusion.

For more than a decade lawmakers in both parties have sought to create certain cybersecurity requirements on companies, but legislative efforts have typically crumbled in the face of opposition from business interests, which often argued such requirements would be onerous and costly, as well as stifle innovation.

"Makers of enterprise software take seriously their responsibilities to customers and the public, and continuously work to evolve the security of their products to meet new threats," Victoria Espinel, president of BSA | The Software Alliance, a trade group, said in a statement about the strategy. Ms. Espinel said the document offered a "thoughtful path" for industry and government collaboration.

A senior administration official said the liability push was a "long-term process" that could take many years to develop. "We don't anticipate this is something where we are going to see a new law on the books within the next year," the official said.

The strategy offers a sober assessment of mounting security risks associated with the accelerating integration of digital and physical realities into every facet of daily life, business and commerce that has defined the 21st century -- a trend it says has made the problem of insecure technology an urgent national priority.

In addition to making a forceful call for expanded liability, the plan reiterates several priorities that have frequently been listed by various senior cybersecurity officials, such as urging more collaboration and threat-intelligence sharing with the private sector, forging international partnerships to develop cyber norms, and modernizing federal technology." [1]

 

1. U.S. News: U.S. Targets Firms on Cyber Risk --- Administration wants software developers liable for products that lack protections
Volz, Dustin.  Wall Street Journal, Eastern edition; New York, N.Y. [New York, N.Y]. 03 Mar 2023: A.6.