The new national cybersecurity strategy calls for software providers to be held accountable for vulnerabilities in their products – a fundamental shift in approach that sparked concerns among some technology associations and firms.
A leading trade association representing the information and communications technology industries has pushed back on a series of software liability reforms featured in the new national cybersecurity strategy this week.
The Information Technology Industry Council warned of overreach, implementation issues and questioned what evidence the administration had to support claims that tech firms weren't using effective software security measures during a briefing on Friday, a day after the White House released the sweeping 35-page document. The strategy – the first to be released since 2018 – calls for a fundamental shift in accountability towards technology firms and entities “that fail to take reasonable precautions to secure their software.”
John Miller — ITI's general counsel and senior vice president of policy, trust data and technology — pointed to language in the strategy that calls for new legislation to prevent software manufacturers from disclaiming liability by contract.
“I have questions regarding any proposal that starts interfering with at least the ability of, what appears to be from the proposal, some private parties to enter into contracts," Miller said. "The underlying premise here seems to be ... that bigger companies are somehow cutting corners and not using appropriate software assurance practices."
The strategy said a transformative change was needed across tech industries to place further responsibility for vulnerabilities onto "the stakeholders most capable of taking action to prevent bad outcomes" rather than "the end-users that often bear the consequences of insecure software."
It further stated the administration will work with Congress and the private sector to create new legislation that places further liability on software developers “when they fail to live up to the duty of care they owe consumers."
The Office of the National Cyber Director will simultaneously spearhead an effort to coordinate vulnerability disclosure across all technology types and sectors, and to develop a "safe harbor" to shield companies that securely develop and maintain their products from liability, according to the strategy
The safe harbor component of the software liability reform "must evolve over time" to incorporate new tools for secure software development and vulnerability discovery, the strategy said, while drawing from best practices featured in guidance like the National Institute of Standards and Technology Secure Software Development Framework.
Miller said the safe harbor could be a potential avenue to mitigate some of his concerns, though he added that there are still uncertainties around the execution of the plan and its liability reforms.
“I also have a lot of questions about how this type of approach would be implemented,” Miller said. “I think whenever you start kind of distorting market incentives and contractual relationships you could end up getting kind of the opposite result than you were hoping for.”
Other cybersecurity experts across industries have raised concerns about the implementation of the national strategy, saying the federal government lacks the workforce, funding and authorities to successfully execute the national plan.
"The strategy's ultimate success will depend on the government's ability to pass constructive laws, collaborate and implement the proposed initiatives effectively and in a timely manner," said Bill Wright, head of global government affairs for the cybersecurity firm Elastic. "Cybersecurity is complex, and the evolving cyber threat requires a comprehensive and coordinated approach."
Chris Wysopal, founder and chief technology officer of Veracode, told FCW a "concrete list of activities and features” was needed for software providers to effectively meet the requirements of a safe harbor framework.
"Vendors will be responsible for the code they assemble into their final products, which should lead to more scrutiny during the open-source selection process and better tracking of issues as they arise," he said. "Though regulation may be challenging, it will be worthwhile in the long run to hold technology providers accountable for their actions and to keep users safe."