The Biden administration plans to pursue a liability framework to hold the software industry accountable for insecure software, according to administration officials and documents released by the Office of the National Cyber Director this week.
Federal officials said they have taken steps toward a long-stated goal of shifting the security burden away from technology users and onto the industry.
The administration wants to pursue a plan to create incentives that will help enable long-term investment in cybersecurity and resilience, Nick Leiserson, assistant national cyber director for cyber policy and programs, said during a panel Monday at the RSA Conference in San Francisco.
Leiserson cautioned the objective was not to create a liability framework for the purposes of opening up the software industry to lawsuits.
“That’s not the point,” Leiserson said during the panel discussion. “The point is to secure investments in secure software development.”
The White House hosted a symposium on the software liability issue in March, which included legal scholars, think tank representatives and top administration officials, including National Cyber Director Harry Coker Jr., Anne Neuberger, a deputy national security advisor for cybersecurity and emerging technologies, and Maya Song, senior advisor to the deputy attorney general.
The ONCD recently began to engage software developers about how best to pursue secure software development practices. Officials plan to expand that outreach later this year to include consumer advocates and critical infrastructure providers.
Currently, software license agreements basically shield companies from lawsuits due to limitations of liability and disclaimers, according to James Dempsey, senior policy advisor at the Stanford University’s Program on Geopolitics, Technology and Governance, who moderated the panel.
The ONCD included the pursuit of software liability in its cybersecurity posture report released this week.
A group of 68 technology and security firms agreed to a security pledge from the Cybersecurity and Infrastructure Security Agency on Wednesday, in which they committed to enabling secure practices like multifactor authentication, elimination of default passwords and providing greater transparency on vulnerability disclosure.
Still the measure was voluntary and CISA has no formal enforcement mechanism behind it.
Eric Goldstein, executive assistant director for cybersecurity at CISA, said the agency supports the ONCD's effort to create the liability measures.
“In parallel with voluntary actions like CISA’s Secure by Design pledge, such an approach can create a future where products built with security in from the start are the norm, not an exception, and where accountability for cybersecurity is allocated toward those entities most able to bear it,” Goldstein said in an emailed statement.
Questions about software liability have been around for at least 30 years, dating back several administrations. However, the Biden administration has pushed to shift the security burden away from users.
Among the key issues in secure software involve underlying weaknesses in code that lead to vulnerabilities malicious actors can exploit.
Just last week, the FBI and CISA urged tech manufacturers to take steps to eliminate directory traversal vulnerabilities from their applications. These applications are linked to some of the worst exploitation campaigns in the U.S., including the ConnectWise ScreenConnect vulnerability in February.
Brian Fox, co-founder and CTO at Sonatype, said a liability regime for the software industry is long overdue. He has been working for 15 years to educate the industry on the need for such a framework and says there is a current need to take additional measures.
“We’re basically looking at market failure here,” said Fox. “That’s where government needs to step in to fix.”