Jen Easterly, Director of the Cybersecurity and Infrastructure Security Agency (CISA), has called on Congress to create legislation that allows software makers to be held legally liable for the insecurity of their products. She also proposed protecting companies that develop secure software from legal liability. Easterly's comments came during a speech at Carnegie Mellon University in which she advocated a move towards 'secure-by-design' and 'secure-by-default' products, which she suggested could be achieved through the introduction of legislation.
The CISA director called for higher standards of care for software in specific critical infrastructure entities and proposed the creation of a safe harbour framework. The safe harbour would shield companies that securely develop and maintain their software products and services from liability.
Easterly argued that the burden of cybersecurity is currently being placed on users, and that this needed to stop. She suggested that lengthy terms of service documents and the continual updating of software should not result in liability being placed on the user. Despite the difficulty in getting legislation passed, Easterly said she has not reached out to Congress or industry to gauge interest in the proposal. She is anticipating that her ideas will be incorporated into the long-awaited national cyber strategy, which has been developed with the involvement of industry.
The idea of holding software makers liable for their security shortcomings has been around for more than two decades, but the issue has been tough to resolve. The Cyberspace Solarium Commission drafted sample legislation as a starting point for any lawmaker wanting to embrace the issue, but it has had trouble finding takers. Some cybersecurity experts have cautioned against the idea of holding software makers liable. They suggest that it is impractical to create software that is entirely secure, and it is challenging to determine who to blame when security breaches occur. Alfredo Hickman, Head Of Information Security at Obsidian Security insights on what could be a challenging but ultimately critical undertaking for the industry:
"Jen Easterly is fighting an uphill battle with this proposal, but now is the right time to have this conversation. The idea of extending legal liability for software vulnerabilities to the companies producing the software has been around for a long time. However, the topic has not gotten much traction due to the myriad of valid counterpoints against the topic. The Internet, certain critical infrastructures, and the software that supports them, have become vital for national security, prosperity, and even everyday life. Accordingly, it's time to consider this issue as one of public safety, national security, and global competitiveness.
History has proven that market forces are not in line to support proactive investments and measures for software security in any nationally coordinated and mutually supporting manner in line to address public safety and national security concerns. Extending legal liability to companies that fail to reasonably secure their software products could be a viable step to improving the situation. However, it could also result in the exact opposite and disincentivize innovation and entrepreneurial risk-taking. This is where liability boundaries and protections would be critical to ensure an adequate balance for the desired outcomes of improved security, safety, and national competitiveness. Now is the time to resolve this issue once and for all; the stakes are too high to ignore it."