White House in talks with industry to build legal framework for software liability

Olemedia/Getty Images

As part of a broad cybersecurity strategy, the U.S. wants to create incentives for the tech industry to manufacture products and software that don’t contain major security flaws.

SAN FRANCISCO — The Biden administration recently initiated discussions with software developers in an effort to craft frameworks that would legally incentivize the private sector to take steps to manufacture and release software that doesn’t contain exploitable flaws, a White House official said Monday.

Nick Leiserson, the Office of the National Cyber Director’s assistant director for cyber policy and programs, told an audience at the RSA Conference in San Francisco that the White House began outreach efforts to software makers in March to pick their brains about how to best craft legal clauses that shift software liability away from customers and more onto manufacturers.

“This [engagement] is all very much over the next, you know, eight to 10 months,” he said on the sidelines of the conference. “Much of our focus is saying the goal isn’t liability for liability sake. It’s to incentivize different or incentivize improved software development practices.”

Those discussions will be expanded to critical infrastructure operators that use software later this year, he added onstage. Critical infrastructure owners and operators are heavily reliant on third-party software, and regulators have publicly disclosed concerns over how flawed software tethered to infrastructure systems like water or dams could allow hackers to easily hijack them.

Legal experts argue that the software market isn’t incentivizing secure development, with major manufacturers weaving clauses into contracts that make users to accept the software “as is” upon installation, which enables customers to bear the entire risk of a product, including defects that could enable cyber exploitation. 

Proponents of secure software incentives have made comparisons akin to food safety or automobile standards, arguing that legal directives for software building would benefit all of society. Some software defects have existed for years but have not been entirely addressed.

Challenges include whether to create a tiered liability system and whether arbitration could be allowed if a user is exploited through software flaws, he noted.

Additionally, officials will have to consider open-source software offerings, which underpin systems all over the world. Sham open-source software maintainers have been recently found attempting to sabotage underlying code that builds out the projects.

One possible solution would be directing manufacturers that incorporate open-source in their offerings to ensure that the tooling is updated to its latest version, said Leiserson. Another proposal on the table would be shared liability between open-source maintainers and for-profit firms who integrate those open tools into their products, he added.

Software liability is a major component of the Biden administration’s National Cyber Strategy released last year, which outlines nearly 70 objectives aimed at shoring up U.S. cyber posture.

The Cybersecurity and Infrastructure Security Agency is expected this week to announce signatories on a “secure by design” commitment focused on getting the private sector to ship out products that have built-in security characteristics by default.