In the endless fight to improve cybersecurity and encourage investment in digital defenses, some experts have a controversial suggestion. They say the only way to make companies take it seriously is to create real economic incentives—by making them legally liable if they have not taken adequate steps to secure their products and infrastructure. The last thing anyone wants is more liability, so the idea has never exploded in popularity, but a national cybersecurity strategy from the White House this week is giving the concept a prominent boost.
The long-awaited document proposes stronger cybersecurity protections and regulations for critical infrastructure, an expanded program to disrupt cybercriminal activity, and a focus on global cooperation. Many of these priorities are widely accepted and build on national strategies put out by past US administrations. But the Biden strategy expands significantly on the question of liability.
“We must begin to shift liability onto those entities that fail to take reasonable precautions to secure their software while recognizing that even the most advanced software security programs cannot prevent all vulnerabilities,” it says. “Companies that make software must have the freedom to innovate, but they must also be held liable when they fail to live up to the duty of care they owe consumers, businesses, or critical infrastructure providers.”
Publicizing the strategy is a way of making the White House’s priorities clear, but it does not in itself mean that Congress will pass legislation to enact specific policies. With the release of the document, the Biden administration seems focused on promoting discussion about how to better handle liability as well as raising awareness about the stakes for individual Americans.
“Today, across the public and private sectors, we tend to devolve responsibility for cyber risk downwards. We ask individuals, small businesses, and local governments to shoulder a significant burden for defending us all. This isn’t just unfair, it’s ineffective,” acting national cyber director Kemba Walden told reporters on Thursday. “The biggest, most capable, and best-positioned actors in our digital ecosystem can and should shoulder a greater share of the burden for managing cyber risk and keeping us all safe. This strategy asks more of industry, but also commits more from the federal government.”
Jen Easterly, director of the US Cybersecurity and Infrastructure Security Agency, had a similar sentiment for an audience at Carnegie Mellon University earlier this week. “We often blame a company today that has a security breach because they didn’t patch a known vulnerability,” she said. “What about the manufacturer that produced the technology that required too many patches in the first place?”
The goal of shifting liability to large companies has certainly started a conversation, but all eyes are on the question of whether it will actually result in change. Chris Wysopal, founder and CTO of the application security firm Veracode, provided input to the Office of the National Cyber Director for the White House strategy.
“Regulation in this area is going to be complicated and tricky, but it can be powerful if done appropriately,” he says. Wysopal likens the concept of security liability laws to environmental regulations. “You can’t simply pollute and walk away; businesses will need to be prepared to clean up their mess.”