The Biden administration’s new cybersecurity strategy will, among other things, punish big software developers for failing to follow best practices. And, for the first time, it will make them liable.
But not small shops, nor open source projects. So if your supply chain includes vulnerable code, do you become liable?
Naturally, it’s dividing opinions. As usual, in this week’s Secure Software Blogwatch, we’re not going to tell you what to think.
Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Creative destruction (or, why AI is BS).
A thin line
What’s the craic? Ines Kagubare reports — “Biden administration unveils long-awaited national cyber strategy”:
The Biden administration released its highly anticipated national cybersecurity strategy [last week] which is intended … to protect the nation’s cybersecurity ecosystem. … The administration also said that it will shift the responsibility to defend the nation’s cybersecurity away from individuals, small businesses, and local governments.
Kemba Walden, acting National Cyber Director, said … the government should “double down” on resources they have, including using law enforcement and military authorities. … Walden was named acting director following the resignation of Chris Inglis, who was appointed by Biden in 2021 to serve as the nation’s first national cyber director.
What’s in it? Christian Vasquez, Elias Groll and Tonya Riley crafted this fine overview — “Strategy advocates tech regulation, software liability reform”:
“Hugely expensive lawsuits”
The White House’s long-awaited strategy for improving the security of computer systems represents a shift [away] from the government’s long-standing emphasis on information sharing and collaboration toward a more strictly regulated approach. [It] calls for critical infrastructure owners and operators to meet minimum security standards, to expose software companies to liability for flaws in their products and for the U.S. to use all elements of its national power to prevent cyberattacks before they happen.
After years of most critical infrastructure relying largely on voluntary guidelines to shape their approach to cybersecurity … the White House now calls for “minimum standards” for owners and operators that are performance-based, using existing frameworks such as the [CISA] performance goals or the [NIST] framework for critical infrastructure. [It] represents a stark difference from the Trump administration, which highlighted market incentives as the key driver for improving cybersecurity resilience.
Exposing software makers to liability … could open up tech companies to hugely expensive lawsuits and force them to pay stiff fines. … The goal is not to target open-source software developers, for example, but big software companies.
Wow. That’s certainly a shift. And Andy Ellis is not a fan — “Liability reform is liable to push us off a cliff ”:
“An exercise for the lobbyists”
Like “SBOMs will solve everything,” there is a regular cry to reform software liability. … The proposed remedy, taking up a full page of the Biden Administration’s National Cybersecurity Strategy, will cause more problems than it solves.
Some of the most notable “celebrity vulnerabilities” over the past decade haven’t been the fault of one company: Heartbleed, Log4j, Shellshock, Meltdown. What these all have in common is that the vulnerable code was in open-source software.
The White House appears to want to solve this by holding not the original developers liable, but only the final-goods assembler. How to implement that desire into a law without creating loopholes big enough for well-funded legal teams to drive their companies through will, of course, be left as an exercise for the lobbyists.
Why so cynical? Chris Painter — @C_Painter — is very much in favor:
“Without major compromises”
I’ve worked on many cybersecurity strategies over 20 yrs, and this new WH one is very strong and forward leaning. Strong endorsement and articulation of norms, accountability and intl engagement; finally recognizing need for smart regulation for CI.
Finally talks about standard of care for software among many other things. Of course, implementation is the key here — and I understand that is already well underway. In short, not your father’s (or grandfather’s) cyber strat, builds on the old but offers something new.
And congrats on getting it through the interagency and consultative process without major compromises. I know from long experience that itself is a big lift!
As is sork:
Good. Last year we had gas shortage because some pipeline owner fell for a ransomware attack. There should be consequences on them for that over the lost profit. It cost a lot of money and disrupted lives of individuals.
Want to be important and make lots of money? Well when **** goes bad, you’re gonna have to pay the entire bill.
It’s as if jacks smirking reven has been reading Secure Software Blogwatch:
Would any of us object if DOJ went after LogMeIn, a $1.2B corporation, for the absolute debacle that seems to be the LastPass breach? Or the multiple breaches T-Mobile or other companies have had for their likely corner cutting and poor practices?
[But] we are also probably being optimisitc in thinking any of this will get through the morass that is a split Congress currently.
But it’s all in the implementation and enforcement. gsgrego is not optimistic:
Unless they are going to personally fine, jail, and otherwise meaningfully punish executives and shareholders then it’s meaningless. If the cost of failing to comply is nothing more than a few percent of the profits gained by not complying then it’s simply reduced a part of the cost of doing business.
And Powercntrl fears it won’t end well:
Tell me you don't understand the complexity of modern software without telling me you don't understand the complexity of modern software.
This coming from the same government which failed to understand that it takes a certain amount of water to flush a turd. And they think they should be regulating software security practices? I can't wait to see what low-flush software security looks like.
As with all things in life, reality is nuanced. Here’s Coppercloud:
Hopefully this will only punish those that are clearly negligent. It will, however, give us more opportunity to push for safe practices [such as] making people sign liability waivers if they don't want to use MFA.
Meanwhile, Tough Love brings some tough love: [You’re fired—Ed.]
Step 1: Ban Windows.
You have been reading Secure Software Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or firstname.lastname@example.org. Ask your doctor before reading. Your mileage may vary. Past performance is no guarantee of future results. Do not stare into laser with remaining eye. E&OE. 30.