The Biden administration said it would pursue legislation to hold software companies accountable for selling technology that lacks cybersecurity safeguards, concluding that market forces alone are insufficient to protect consumers and the nation.
According to a national cybersecurity strategy released Thursday, free markets and reliance on voluntary security frameworks have imposed “inadequate costs” on companies that offer insecure products or services. It states that the administration would collaborate with Congress and the private sector to create liability for software vendors, outlining in broad strokes what such legislation should entail.
“We must begin to shift the liability onto those entities that fail to take reasonable precautions to secure their software while recognizing that even the most advanced software security programs cannot prevent all vulnerabilities,” says the 35-page strategy, a product of the president’s executive office’s office of the national cyber director.
Thursday’s strategy also advocates for a broader set of cybersecurity regulations to protect the nation’s critical infrastructure, which includes energy companies, hospitals, and banks, among others.
According to the strategy, any legislation supported by the administration should prohibit software makers from avoiding liability by contract and establish higher standards for software in specific high-risk situations. The administration would work to create an evolving safe harbor framework to protect companies from liability, drawing on current best practices for secure software.
If successful, such a push on software liability would reshape national cybersecurity policy in the United States, after several Democratic and Republican administrations favored an approach that relied heavily on software vendors and other businesses to voluntarily manage their own cybersecurity. President Biden, in a signed cover letter, said the strategy “takes on the systemic challenge that too much of the responsibility for cybersecurity has fallen on individual users and small organizations.”
Major software companies “can and should shoulder a larger share of the cyber risk,” said Kemba Walden, acting national cyber director, during a press conference. Hacks of widely used software can be devastating and far reaching, officials and experts have said, such as an alleged Chinese cyberattack on Microsoft email software in 2021 that rendered hundreds of thousands of mostly small businesses and organizations vulnerable to intrusion.
For more than a decade, lawmakers from both parties have attempted to impose certain cybersecurity requirements on businesses, but legislative efforts have typically failed due to opposition from business interests, which frequently argued that such requirements would be onerous and costly, as well as stifle innovation.
“Makers of enterprise software take their responsibilities to customers and the public seriously, and continuously work to evolve the security of their products to meet new threats,” Victoria Espinel, president of the Washington-based trade group BSA | The Software Alliance, said in a statement about the strategy. According to Ms. Espinel, the document provides a “thoughtful path” for industry and government collaboration.
According to a senior administration official, the liability push will be a “long-term process” that will take years to develop with lawmakers and industry. “We don’t anticipate seeing a new law on the books within the next year,” the official said.
President Biden signed the strategy, which was the result of a months-long bureaucratic process involving more than 20 government agencies. It was overseen by Chris Inglis, a former NSA deputy director who stepped down last month as the US government’s first national cyber director. The position was established by Congress to better coordinate cybersecurity work across the federal government, but current and former officials say the office has struggled to find a clear mission in a government crowded with senior cybersecurity officials.
The strategy provides a sober assessment of the growing security risks associated with the accelerating integration of digital and physical realities into every aspect of daily life, business, and commerce that has defined the twenty-first century—a trend that, according to the strategy, has made the problem of insecure technology an urgent national priority.
In addition to making a strong case for increased liability, the plan reiterates several top priorities frequently mentioned by various senior cybersecurity officials in recent years, such as encouraging more collaboration and threat-intelligence sharing with the private sector, forging international partnerships to develop cyber norms, and modernizing federal technology. While much of it is consistent with previous administrations’ goals, the emphasis on liability and mandates on critical infrastructure departs significantly from President Biden’s predecessors.
According to the strategy, voluntary approaches to critical infrastructure cybersecurity have resulted in meaningful improvements, but “the lack of mandatory requirements has resulted in inadequate and inconsistent outcomes.”
It referred to previous mandates imposed by the Biden administration on pipeline operators, rail and aviation systems, and stated that the government would use existing authorities to establish new requirements in critical sectors, and that where gaps exist, it would seek legislation from Congress. According to a senior administration official, similar regulations on other sectors, including an update on existing drinking-water standards, would be announced soon.
The strategy also emphasizes the importance of continuing to use offensive cyber capabilities, such as those housed at the United States Cyber Command, to disrupt and dismantle cyber threats to the United States. The language of the strategy effectively supports steps taken by the Trump administration to allow the military to be more active with offensive cyber weapons. Mr. Biden’s strategy will take the place of one announced by former President Donald Trump in 2018.