The Biden administration’s recently announced National Cybersecurity Strategy calls for more aggressive measures both at home and abroad, and on the domestic front that looks like more of a “carrot and stick” approach for the biggest tech firms and software providers.
These key companies will have new financial incentives made available to them, but are also looking at stiffer regulation in the case of data breaches that they are found at fault for. Much of the new cybersecurity strategy addresses critical infrastructure companies, which were already in the administration’s crosshairs, but software creators are also facing the prospect of a much greater degree of liability than in the past.
Biden cybersecurity strategy enters new territory, likely to face strong pushback
Liability for software publishers would be a new development in US law, and one that the tech industry in general is likely to vigorously oppose. With only rare exceptions, civil suits involving defective software tend to be unsuccessful unless there is some sort of extreme damage (such as injury or death). The licensing agreements that software producers craft essentially give them blanket immunity from the legal consequences of oversights in code.
Calls for software liability reform have grown in recent years as criminal hacking has increased dramatically, and as assorted actors demonstrate ability to cause real world damage by exploiting vulnerabilities. Another factor is the rapid growth of smart devices, constantly bringing more and more traditionally offline functions of home and business onto the internet.
Brian Fox, CTO and Co-founder of Sonatype, likens this to past pushes to regulate other sectors when the potential for damage became too high: “Market forces are leading to a race to the bottom in certain industries, while contract law allows software vendors of all kinds to shield themselves from liability. Regulations for other industries went through a similar transformation, and we saw a positive result — there’s now an expectation of appropriate due care, and accountability for those who fail to comply. The strategy aptly starts by taking away vendors’ ability to disclaim any and all liability, while recognizing that even a perfect security process can’t guarantee perfect outcomes. Establishing the concept of safe harbors allows the industry to mature incrementally, leveling up security best practices in order to retain a liability shield, versus calling for sweeping reform and unrealistic outcomes as previous regulatory attempts have.”
The Biden administration appears to be willing to go straight at the thorny issue of software liability reform, given the language used in the cybersecurity strategy declaration. But it also appears to be handing the issue off to Congress to debate, rather than relying on the executive orders that have composed the reforms to critical infrastructure and government agency security thus far. This would include defining the exact circumstances in which software companies would be held liable, before facing an expected gauntlet of resistance to any sort of new regulation in this area.
The administration has signaled a proactive beginning to this debate, however, promising to develop “standards of care” for secure-by-design software development and a “safe harbor framework” for companies that demonstrate they are keeping within whatever new regulatory terms emerge. This effort is also likely a non-starter unless the administration commits to targeting tech firms of a certain size that have products that are widely used, and to steering clear of open source efforts.
National defense moves: More “disruption” of foreign aggressors, tougher standards for critical infrastructure
The other focus of the cybersecurity strategy declaration is in continuing to shore up critical infrastructure. The Biden administration has already been doing this for some time via a series of executive orders, but the plan calls for a more comprehensive effort that would sweep up some of the categories of industry that have not received as much attention yet.
All critical infrastructure companies would be looking at the sort of “minimum standards” that have already been applied to the oil and gas pipeline companies in the wake of the Colonial Pipeline disruption. This would apply to the 16 sectors established by CISA, which include food & agriculture and health care among others. The cybersecurity strategy also articulates a need to harmonize these new regulations across sectors as they emerge.
The cybersecurity strategy also declared an intent to be more aggressive and disruptive against hackers, particularly ransomware outfits. This is another potentially touchy area, given that criminal groups are usually based in countries the US is not friendly with. Greater international cooperation seems to be one of the central points of focus, however, with the administration calling for more formal information sharing and arrangements and collaboration on agreements on internet governance.
Ted Schlein, Founding Partner at Ballistic Ventures, expands on what this might also mean in terms of coordinated international responses to incidents: “I think this is an obvious one. Cybersecurity has no borders, so the more we can do with our allies, the safer we will all be. For this, I’m very happy for Nate Fick’s role as Cyber Ambassador. I could see a version of NATO’s Article 5 being designed for cybersecurity so that if one of our allies suffers a cyber attack then the perpetrator is facing a response from everyone. The idea is to create significant deterrence. Today the U.S. does not view a cyber attack in the same way it views a kinetic attack. Thus, we will encourage more cyber attacks as they are safer to execute for our adversaries and our responses, while they can be meaningful, and far less than a response for a kinetic incursion that results in the same damage.”
Cody Cornell, Co-Founder & Chief Strategy Officer at Swimlane, additionally observes that these security plans have some overlap with proposed new responsibilities for tech and software companies: “An interesting element of the goal of “Scaling Public-Private Collaboration” is to continue to invest not only in the multi-directional sharing of information, but the calls for leveraging of security orchestration to enable real-time sharing to drive threat response. This is the second time the current administrations have called for security orchestration to meet cybersecurity challenges. In the first year of the current administration, OMB sent out memorandum M-21-31 calling for orchestration, automation, and response in response to the SolarWinds breach.
The overall position of the cybersecurity strategy is that it is both “unfair” and “ineffective” to tell end users to be responsible for their own security; unfair in terms of tilting the big tech balance toward them, and ineffective in terms of matters of national security. An official speaking to the media on condition of anonymity said that the plan was a long-term one, however, meant to be gradually implemented over the coming decade rather than springing to major changes in the near term. It also anticipates heavy and drawn-out back and forth debates between industry interests and various camps of legislators.
Josh Lospinoso, CEO and Co-founder at Shift5, sees most of these moves as anticipation of a long-term continuing state of cyber war between the world’s premier powers: “When you address cybersecurity issues in a wholesale way like this strategy spells out, you start to really encourage the integration of cyber capabilities that will ensure the U.S. maintains its tactical edge over near peer competitors. The policy is very clear eyed about needing to take the burden off the user, the small business, the local government — and very correct that the government and private industry need to keep breaking down barriers to move and innovate at the speed of war.” As does Egon Rinderer, CTO at Shift5: “It’s difficult to avoid reading this through the lens of near peer competition. China, specifically, has spent the better part of two decades enhancing its military readiness by embracing wholesale cybersecurity policies that this strategy calls for. Culturally, financially, commercially — we’ve seen them integrate cyber and electronic warfare capabilities dogmatically to the degree that senior military advancement is dependent upon its inclusion. The way this policy states the problem is exactly how the United States should be framing it, regardless of reception.”
Craig Burland, CISO for Inversion6, additionally observes that this is only the beginning of what is sure to be a long process: “The real test will come in the pronouncements that follow. A strategy by itself won’t compel companies to change how they invest. This strategy is a shot across the bow that signals tougher standards are coming. How those manifest themselves will be fascinating to watch. Will the administration try to enact laws with associated fines? Will they pressure industry groups to do self-improvement? Can they become a catalyst for real change and help get cybersecurity past the tipping point where best practices are the only accepted practices? Hopefully, one way or another, they can spur real change and make all of our lives safer.”
