The Biden administration is taking proactive steps to enhance software security by initiating discussions with software developers. These discussions, spearheaded by Nick Leiserson, the assistant director for cyber policy and programs at the Office of the National Cyber Director, aim to develop legal frameworks that shift the liability for software flaws from users to manufacturers. This move is intended to incentivize the private sector to improve software development practices and produce more secure software products. The announcement was made during the RSA Conference in San Francisco, highlighting the administration’s commitment to addressing cybersecurity vulnerabilities head-on.
Leiserson explained that the engagement with software makers began in March and is expected to continue over the next eight to ten months. The primary focus is not to impose liability for its own sake but to encourage better software development that could lead to safer digital environments. This approach is likened to safety standards in other sectors, such as food and automotive, where manufacturers are held accountable for the safety and integrity of their products. By applying similar principles to software production, the administration hopes to significantly reduce the risks associated with cyber exploitation.
The discussions are set to expand later in the year to include operators of critical infrastructure, who are increasingly dependent on third-party software for their operations. This expansion is crucial, considering the potential catastrophic consequences of cybersecurity failures in critical infrastructure systems like water management or dams. The legal experts involved have pointed out that the current market conditions do not favor secure software development, as many manufacturers include clauses in contracts that absolve them of responsibility for flaws once the software is installed.
Additionally, the administration is considering how to handle open-source software, which forms the backbone of many systems globally. There have been instances where maintainers of open-source projects have attempted to sabotage the code. One proposal is to ensure that any open-source tooling used in commercial products is updated to the latest version to minimize vulnerabilities. Another is a shared liability model between open-source maintainers and the commercial entities that utilize their software, aiming to foster a more responsible and secure integration of open-source resources into mainstream products. This comprehensive strategy aligns with the objectives outlined in the National Cyber Strategy released last year by the Biden administration, which aims to strengthen the U.S. cybersecurity posture across various sectors.
