News

Feds Say Software Makers Must 'Be Held Liable' for Cybersecurity Failures

• By David Ramel
• 03/02/2023

The White House issued a new National Cybersecurity Strategy that puts the onus on big tech and software makers to take responsibility for cybersecurity, rather than small shops and individuals.

In a "fundamental shift" in policy, the voluminous document that was released today (March 2) explained the need to "rebalance the responsibility to defend cybersapce."

"The most capable and best-positioned actors in cyberspace must be better stewards of the digital ecosystem," the White House said in the document. "Today, end users bear too great a burden for mitigating cyber risks. Individuals, small businesses, state and local governments, and infrastructure operators have limited resources and competing priorities, yet these actors' choices can have a significant impact on our national cybersecurity."

Furthermore, the document said in explaining a strategic objective, "Companies that make software must have the freedom to innovate, but they must also be held liable when they fail to live up to the duty of care they owe consumers, businesses, or critical infrastructure providers."

Another strategic objective is to "hold the stewards of our data accountable," with the Joe Biden administration supporting legislative efforts to impose limits on organizations that have data on individuals regarding their ability to collect and otherwise use that data.

Along with rebalancing the responsibility to defend cyberspace, another major policy shift is to "realign incentives to favor long-term investments," with the document noting pillars such as:

• Defend critical infrastructure
• Disrupt and dismantle threat actors
• Shape market forces to drive security and resilience
• Invest in a resilient future
• Forge international partnerships to pursue shared goals

The House Homeland Security Committee Democrats issued a statement that said in part, "We also share the Administration's commitment to shifting the responsibility for security cyberspace on those best positioned to do so and we are eager to explore opportunities to incentivize security-by-design so that consumers no longer bear the brunt of the rush-to-market."

The shift in federal cybersecurity policy comes amid a big tech backlash that has sprung up over the last few years.

Major tech players don't seem to have weighed in on today's report as of the time of this writing, but it had been foreshadowed days earlier.

According to a Feb. 27 Bloomberg News article, "US Cyber Official Urges Microsoft, Twitter to Boost Security," Jen Easterly, director of the Cybersecurity and Infrastructure Security Agency, said in a recent speech "that bad software and unsafe practices are facilitating ransomware attacks that are crippling the nation's most essential services, spanning energy supply, food production, hospitals and schools."

Stay tuned for responses from Microsoft, Twitter, Google, Apple, Amazon, Meta and the rest of the "most capable and best-positioned actors."