Reception has generally been positive for the White House's proposal to legally enforce software liability -- but cybersecurity vendors and experts have wide-ranging viewpoints on implementation and enforcement of the strategy.
The Biden Administration on March 2 published its National Cybersecurity Strategy, in which the White House laid out its plans to further secure the U.S. digital ecosystem. One of the most publicized elements of the 39-page document was Strategic Objective 3.3, titled, "Shift Liability for Insecure Software Products and Services."
The objective argues that end users are those hurt most by insecure software, and the White House aims to hold vendors and software publishers accountable when they release products with significant vulnerabilities.
"Markets impose inadequate costs on -- and often reward -- those entities that introduce vulnerable products or services into our digital ecosystem," the document read. "Too many vendors ignore best practices for secure development, ship products with insecure default configurations or known vulnerabilities, and integrate third-party software of unvetted or unknown provenance."
In the service of shifting liability, the Biden Administration said it will work with Congress and the private sector to develop legislation establishing liability for software products and services.
Though the document did not outline potential consequences for wrongdoing, the White House said such legislation "should prevent manufacturers and software publishers with market power from fully disclaiming liability by contract, and establish higher standards of care for software in specific high-risk scenarios."
"Disclaiming liability by contract" refers to the practice of vendors including language in license agreements absolving themselves from legal liability involving use of the software, regardless of which party is to blame.
To counter concerns of vendors not able to innovate, a potential "safe harbor framework" was mentioned in Strategic Objective 3.3 as well so that publishers following an evolving list of standardized development best practices would be protected from liability. The National Institute of Standards and Technology's Secure Software Development Framework was referenced as a best practice.
TechTarget Editorial asked multiple vendor executives and experts during RSA Conference 2023 about their feelings regarding Strategic Objective 3.3 as well as the prospect of software publishers facing consequences for releasing insecure software.
Executives weigh in
Raj Rajamani, CrowdStrike chief product officer of data, identity, cloud and endpoint security, was the most positive about the objective among those interviewed. He said he would "absolutely love" if the U.S. government implemented a policy where vendors releasing products with a high number of vulnerabilities were penalized in some way.
"No product is perfect," he said. "I'm not claiming my product is. There will always be vulnerabilities, no matter how secure your coding and development practices are. But there have been some instances of egregious abuse, and there needs to be some level of process tightening so you're not trying to let the wolf guard the henhouse."
Wendy Thomas Secureworks , CEO
Wendy Thomas, CEO of Secureworks, said it was "long past time" to have a conversation about software liability, but she emphasized the need for a safe harbor framework.
"I generally would have preferred that conversation coming from industry where we're doing that ourselves versus legislation, but the conversation has started, and I think that's the right thing," she said. "There are always complexities in any set of software so you don't want to overpenalize an organization that has good governance, good quality assurance and good practices around that."
Casey Ellis, Bugcrowd co-founder and CTO, said the bug bounty firm was one of the vendors that assisted in the National Cybersecurity Strategy, alongside others like CrowdStrike, and he echoed the importance of the conversation surrounding liability. He said his favorite thing about the objective was that it puts the idea of software liability as a concept in the head of the consumer.
"Even if nothing else happens, the idea that I deserve to be looked after from a cyber standpoint [is important]," he said. "Because at this point in time, I think for the average person, the cyber domain is an extension of the physical domain. When people think about safety as it applies in the real world, they're thinking about it in the cyber domain as well. Vendors should be recognizing that. I think the general direction of the consumer thinking about that as something they should expect is a good thing."
However, despite being generally in favor of the proposals' direction, Ellis said the implementation will be a "nightmare."
"The sorts of economic structures, setting them up from scratch is always a nightmare," he said. "Because no one fundamentally wants to pay a bill like this, so who pays? How does it work? What are the safe harbors?"
Dustin Childs, head of threat awareness at Trend Micro's Zero Day Initiative, which buys bugs from independent researchers before submitting them to publishers and disclosing them to the public, said in an email this week he was similarly concerned about implementation.
"While well intentioned, the implementation could prove problematic," he wrote. "It's good to see vendors being held accountable for security, but the details of the safe harbor could be overly broad. Much will come down to how this is put into practice. In the past, efforts within the industry to enforce security standards have always fallen short. If this effort doesn't prove fruitful, we can expect further legislation to impact software development standards."
Chester Wisniewski, Sophos field CTO of applied research, said legislation codifying software liability into law would be unlikely, given "the House and Senate could not agree that the sky is blue." Asking nicely, he said, is all the government could likely do at this time, but complications would remain even if legislators could eventually agree.
"They would have to pass some legislation, which seems incredibly unlikely, but let's assume they do," he said. "The question really becomes defining what that safe harbor is. And I don't know that you could ask 10 people at this conference what that should be and that any of them would agree. It's a really hard thing to define. I think we all agree that when there's no net, when there's no liability for your actions, you have no incentive necessarily to do anything but profit."
Wisniewski said legal liability carries a host of complications and raises questions involving aspects of software such as legacy and abandoned products. It could be a positive force if some consensus was reached, but he was skeptical if such a thing was possible -- even among professionals with society's best interests in mind.
"Whether you bring together some folks from the EFF [Electronic Frontier Foundation] and you bring people from the Business Software Alliance, and you bring professionals who genuinely want to try to do something good, they probably can't agree on what that needs to look like to move forward," he said. "I'll be curious. I'll be watching it very closely to see how it plays out. Because I think we're all frustrated with the lack of focus on security, as an industry. The security people understand that this is important and really do care about it."
Alexander Culafi is a writer, journalist and podcaster based in Boston.