Following the release of the Biden administration’s national cyber strategy, the most consequential issue for the private sector will be navigating the plan to hold companies liable for the security of their products.
The strategy calls for the administration to work with Congress and the private sector to develop legislation that will establish liability for software products and services.
Since mid-2022, the administration has promoted efforts to shift the cyber responsibility toward software makers and others to develop more secure products during the design phase. Currently, technology customers have to scan for vulnerabilities and other security flaws after the products have been installed.
The strategy released Thursday says companies with market power would no longer be able to fully escape liability for insecure software and would be subject to higher standards of care in certain high-risk scenarios.
Specific incentives and penalties to enforce such action is not immediately clear, however the administration does appear ready to use its federal purchasing power, at the very least, to encourage the development and maintenance of more secure software.
“We have seen this time and time again,” Kemba Walden, acting national cyber director, said during a forum held by the Center for Strategic and International Studies. “We need to figure out a way to shift that liability upstream a bit, shift it to the assemblers, shift it to those software developers that have software that goes into critical technology.”
Companies can already be subject to liability under existing law for negligence or breach of contract, according to attorney David Straite, a partner at DiCello Levitt. However, the strategy outlines why additional reforms are necessary, he said.
“First, because many vendor contracts contain limitations on liability (sometimes capped at the value of a contract), or worse, have full liability limitations,” Straite said via email.
Legislation would be required to make such contractual provisions unenforceable, said Straite.
The strategy does call for the creation of a safe harbor framework to shield companies from liability if they securely develop and maintain their software.
IBM outlined general support for the strategy in a March 2 letter to Walden, however emphasized the safe harbor provision would make it easier for companies to operate within the parameters of the new regulatory framework.
“This is crucial because, as an industry, we know that companies will get hacked,” Chris Padilla, VP of government and regulatory affairs, and Jamie Thomas, general manager of systems strategy and development at IBM. “Without these liability protections, we risk revictimizing the victim and placing organizations in a difficult position of balancing information security with protecting themselves against legal and reputational risk.”
The letter cites existing safe harbor provisions under the Cyber Information Sharing Act of 2015, which allows companies to provide sensitive information that may prevent other organizations from being impacted by an existing threat.
IBM officials also cite existing safe harbor provisions in states like Utah and Ohio, which have language that protects companies that engage in best practices from a cybersecurity standpoint.
The potential risks extend beyond what are considered traditional technology companies, but could impact companies in other industries that sell products that use IoT technology.
Officials at General Motors, which increasingly uses connected technology in its vehicles, declined to comment on the strategy, but said the company is regularly engaged in conversations around cybersecurity.
“Our vehicle development process includes cybersecurity concerns from the earliest stages of design through a vehicle’s lifecycle,” Stuart Fowle, director of communication, global product development and design, said in an emailed statement.
GM’s Vehicle Intelligence Platform contains enhanced security features including over-the-air update capability that can be used to address vulnerabilities if needed.
“We are taking a multilayered approach to in-vehicle cybersecurity and designing vehicle systems so they can be updated with enhanced security measures as potential threats evolve,” Fowle said.
Correction: This article has been updated to correct the spelling of David Straite.