Dustin Volz
WASHINGTON—The Biden administration said it would pursue laws to establish liability for software companies that sell technology that lacks cybersecurity protections, concluding that market forces alone aren’t sufficient to guard consumers and the nation.
Free markets and a reliance on voluntary security frameworks have imposed “inadequate costs” on companies that offer insecure products or services, according to a national cybersecurity strategy released Thursday. It says the administration would work with Congress and the private sector to create liability for software vendors, sketching out in broad terms what such legislation should entail.
“We must begin to shift the liability onto those entities that fail to take reasonable precautions to secure their software while recognizing that even the most advanced software security programs cannot prevent all vulnerabilities,” says the 35-page strategy, an interagency product that was written by the office of the national cyber director, which is part of the executive office of the president. Thursday’s strategy also advocates developing a more expansive framework of cybersecurity regulations to protect the nation’s critical infrastructure—a categorization that includes energy operators, hospitals and banks, among others.
Any legislation supported by the administration should prevent software makers from avoiding liability by contract and create higher standards for software in specific high-risk situations, the strategy says. The administration would work to develop an evolving safe harbor framework—borrowing from current best practices for secure software—to shield companies from liability, it adds.
Such a push on software liability, if successful, would pivot national cybersecurity policy in the U.S. after several Democratic and Republican administrations favored an approach that largely relied on software vendors and other businesses to voluntarily manage their own cybersecurity. President Biden, in a signed cover letter, said the strategy “takes on the systemic challenge that too much of the responsibility for cybersecurity has fallen on individual users and small organizations.”
Major software companies “can and should shoulder a bigger share of the cyber risk,” Kemba Walden, acting national cyber director, said during a media briefing. Hacks of widely used software can be devastating and far reaching, officials and experts have said, such as an alleged Chinese cyberattack on Microsoft email software in 2021 that rendered hundreds of thousands of mostly small businesses and organizations vulnerable to intrusion.
Chris Inglis, who was the U.S. government’s first national cyber director, oversaw the strategy plan.PHOTO: STEVEN SAPHORE/SHUTTERSTOCK
For more than a decade lawmakers in both parties have sought to create certain cybersecurity requirements on companies, but legislative efforts have typically crumbled in the face of opposition from business interests, which often argued such requirements would be onerous and costly, as well as stifle innovation.
“Makers of enterprise software take seriously their responsibilities to customers and the public, and continuously work to evolve the security of their products to meet new threats,” Victoria Espinel, president of BSA | The Software Alliance, a Washington-based trade group, said in a statement about the strategy. Ms. Espinel said the document offered a “thoughtful path” for industry and government collaboration.
A senior administration official said the liability push was a “long-term process” that could take many years to develop with lawmakers and industry. “We don’t anticipate this is something where we are going to see a new law on the books within the next year,” the official said.
The strategy, signed by President Biden, is the culmination of a monthslong bureaucratic process that involved more than 20 government agencies. It was overseen by Chris Inglis, a former deputy director of the National Security Agency, who stepped down last month as the U.S. government’s first national cyber director. The position was created by Congress to better coordinate cybersecurity work across the federal government, but some current and former officials have said the office has struggled to find a clear mission amid a government crowded with senior cybersecurity officials.
The strategy offers a sober assessment of mounting security risks associated with the accelerating integration of digital and physical realities into every facet of daily life, business and commerce that has defined the 21st century—a trend it says has made the problem of insecure technology an urgent national priority.
In addition to making a forceful call for expanded liability, the plan reiterates several top priorities that have frequently been listed by various senior cybersecurity officials in recent years, such as urging more collaboration and threat-intelligence sharing with the private sector, forging international partnerships to develop cyber norms, and modernizing federal technology. While much of it is consistent with the goals of past administrations, the focus on liability and mandates on critical infrastructure largely depart from President Biden’s predecessors.
Voluntary approaches to critical infrastructure cybersecurity have yielded meaningful improvements, the strategy said, but “the lack of mandatory requirements has resulted in inadequate and inconsistent outcomes.”
It noted previous mandates imposed by the Biden administration on pipeline operators and rail and aviation systems, and said the government would use existing authorities to set necessary new requirements in critical sectors, and where gaps exist to do so it would seek legislation from Congress. A senior administration official said similar regulations on other sectors would be announced soon, including an update on existing standards for drinking-water systems.
The strategy also emphasizes the need for persistent use of offensive cyber capabilities, such as those housed at the U.S. Cyber Command, to disrupt and dismantle cyber threats to the U.S. The strategy’s language effectively endorses steps taken during the Trump administration to allow the military to be more active with offensive cyber weapons. Mr. Biden’s strategy replaces one issued by former President Donald Trump in 2018.
Security experts and former officials said establishing liability for software manufacturers was the most significant—if hardest to achieve—element of the strategy.
“In the rush to market you can’t cut corners on safety. That’s why builders of apartment houses that collapse and makers of baby strollers that crumple are liable when people get hurt,” said Glenn Gerstell, the former general counsel of the National Security Agency. “Now we’re doing that for cyber.”
No comments:
Post a Comment