White House Seeks to Boost Cybersecurity by Holding Software Sector Accountable
The Biden administration is setting its sights on enhancing national cybersecurity by implementing a liability framework aimed at the software industry’s responsibility for security flaws. This initiative is rooted in a series of administrative moves and discussions, signified by recent documents published by the Office of the National Cyber Director. The strategy signals a pivotal shift, intending to reallocate the burden of security from end-users to the manufacturers and developers within the technology sector.
During a panel at the RSA Conference in San Francisco, Nick Leiserson, the assistant national cyber director for cyber policy and programs, emphasized the administration’s commitment to fostering an environment conducive to cybersecurity investments. Contrary to potentially fostering a litigious climate against software developers, the plan aims to incentivize the development of inherently secure software. “That’s not the point,” Leiserson clarified, underscoring the initiative’s focus on reinforcing cybersecurity measures rather than paving the way for lawsuits.
In March, a symposium hosted by the White House brought together legal experts, policy thinkers, and key administration officials, including National Cyber Director Harry Coker Jr., and Deputy National Security Advisor for Cybersecurity and Emerging Technologies, Anne Neuberger. The conversation revolved around navigating the complexities of software liability and its implications for the industry’s future.
The Office of the National Cyber Director has initiated dialogues with software developers to explore best practices for secure software development. A plan is in motion to broaden this engagement to include consumer advocates and critical infrastructure operators towards the latter part of the year.
At present, the legal landscape is such that software license agreements largely exempt companies from legal action through various disclaimers and limitations of liability clauses. This reality was highlighted by James Dempsey, a senior policy advisor at Stanford University’s Program on Geopolitics, Technology, and Governance, during the panel discussion.
This week, the cybersecurity posture report by the ONCD officially included the pursuit of software liability measures as a strategic objective. Meanwhile, a collective of 68 technology and security companies has endorsed a cybersecurity pledge under the auspices of the Cybersecurity and Infrastructure Security Agency (CISA), promising to adhere to practices such as multifactor authentication and the elimination of default passwords. However, this pledge remains a voluntary commitment, lacking a formal enforcement framework.
Eric Goldstein, executive assistant director for cybersecurity at CISA, voiced his support for the ONCD’s push for liability measures. He advocates for a future where security is an integral part of product design, attributing responsibility for cybersecurity to those in the best position to implement it. Goldstein views these measures as complementary to CISA’s current voluntary actions, projecting a more secure future through mandatory design standards.
The concept of software liability is not new, with debates dating back over 30 years across various administrations. Yet, the Biden administration’s proactive stance on shifting the security accountability towards the industry marks a significant policy evolution.
Fundamental to the secure software debate are the vulnerabilities present in the existing code, which open doors for malicious exploitation. Just last week, the FBI and CISA issued warnings to tech manufacturers regarding directory traversal vulnerabilities, linked to some of the most detrimental cyberattacks in U.S. history.
Brian Fox, co-founder and CTO at Sonatype, voices a longstanding concern for a liability framework within the software industry. With over 15 years spent advocating for such measures, Fox asserts the current situation epitomizes market failure, necessitating governmental intervention for resolution. “We’re basically looking at market failure here,” said Fox, advocating for the government’s role in correcting the imbalance.
As the White House moves forward with its plans, the dialogue surrounding software liability and cybersecurity is poised to take center stage in policy discussions. With the government, developers, and cybersecurity professionals working in alignment, the nation could witness significant advancements in its collective cybersecurity posture, paving the way for a more secure digital future.
