The blueprint for holding the technology industry accountable for product security is based on similar efforts that resulted in the automobile industry creating safer cars, Acting National Cyber Director Kemba Walden said last week.
Walden, speaking during an Atlantic Council panel on the national cybersecurity strategy Thursday, said the push for accountability will be a multistakeholder, multiyear effort to shift the burden from end users to manufacturers.
“We’ve done it in auto manufacturing before,” Walden said. “We can’t allow the end user to be liable for flaws in code. It’s just that simple.”
The Biden administration rolled out the liability discussion as a key pillar of its national cyber strategy, which is designed to help the U.S. develop a greater capability to prevent and disrupt malicious cyber activity from rogue nation-state and criminal actors.
We can’t normalize the existing practice of rolling out continued security updates on Patch Tuesdays, Walden said, a concern raised previously by Cybersecurity and Infrastructure Security Agency Director Jen Easterly.
Walden cautioned that it will take time and thoughtful consideration to make sure the plan is executed correctly.
“We want to do it right — we have to be thoughtful about it,” Walden said. “And we have to think about not just duty of care and imposing liability, but what are the safe harbors going to look like in this space?”
Walden added that Congress would likely need to get involved in terms of legislative efforts, though she did not specify what that would look like.
Easterly, who also participated in the panel, said the industry has for years accepted the idea that software and related technologies are insecure by design. Software industry flaws are not the result of people with bad intentions, but problems that are more structural, Easterly said.
“The incentives were completely misaligned,” Easterly said. “The incentives are about reducing costs and speed to market and cool features. They just were not about safety and security.”
