In the endless fight to improve cybersecurity and encourage investment in digital defenses, some experts have a controversial suggestion. They say the only way to make companies take it seriously is to create real economic incentives—by making them legally liable if they have not taken adequate steps to secure their products and infrastructure. The last thing anyone wants is more liability, so the idea has never exploded in popularity, but a national cybersecurity strategy from the White House this week is giving the concept a prominent boost.
The long-awaited document proposes stronger cybersecurity protections and regulations for critical infrastructure, an expanded program to disrupt cybercriminal activity, and a focus on global cooperation. Many of these priorities are widely accepted and build on national strategies put out by past US administrations. But the Biden strategy expands significantly on the question of liability.
“We must begin to shift liability onto those entities that fail to take reasonable precautions to secure their software while recognizing that even the most advanced software security programs cannot prevent all vulnerabilities,” it says. “Companies that make software must have the freedom to innovate, but they must also be held liable when they fail to live up to the duty of care they owe consumers, businesses, or critical infrastructure providers.”
Publicizing the strategy is a way of making the White House’s priorities clear, but it does not in itself mean that Congress will pass legislation to enact specific policies. With the release of the document, the Biden administration seems focused on promoting discussion about how to better handle liability as well as raising awareness about the stakes for individual Americans.
“Today, across the public and private sectors, we tend to devolve responsibility for cyber risk downwards. We ask individuals, small businesses, and local governments to shoulder a significant burden for defending us all. This isn’t just unfair, it’s ineffective,” acting national cyber director Kemba Walden told reporters on Thursday. “The biggest, most capable, and best-positioned actors in our digital ecosystem can and should shoulder a greater share of the burden for managing cyber risk and keeping us all safe. This strategy asks more of industry, but also commits more from the federal government.”
Jen Easterly, director of the US Cybersecurity and Infrastructure Security Agency, had a similar sentiment for an audience at Carnegie Mellon University earlier this week. “We often blame a company today that has a security breach because they didn’t patch a known vulnerability,” she said. “What about the manufacturer that produced the technology that required too many patches in the first place?”
The goal of shifting liability to large companies has certainly started a conversation, but all eyes are on the question of whether it will actually result in change. Chris Wysopal, founder and CTO of the application security firm Veracode, provided input to the Office of the National Cyber Director for the White House strategy.
“Regulation in this area is going to be complicated and tricky, but it can be powerful if done appropriately,” he says. Wysopal likens the concept of security liability laws to environmental regulations. “You can’t simply pollute and walk away; businesses will need to be prepared to clean up their mess.”
The comparison underscores how resistant businesses will likely be to such a transition, though, particularly large, legacy tech companies whose products are used widely around the US and the world. “Some companies will welcome the strategy more than others,” Wysopal concedes.
Shawn Tuma, a partner in the law firm Spencer Fane who specializes in cybersecurity and data privacy issues, emphasizes that from an industry perspective, “the devil is in the details” on all these proposals. On legal liability, he says the debate comes down to what exactly is meant by “reasonable.”
“We all see the extremes in the continuum—we see the providers that are doing a poor job, that are just throwing stuff out there,” he says. “I’m fine for liability on them, but what about those that are trying to do their best but are engaged in an unwinnable war with well-resourced hackers? What’s ‘reasonable’?”
One point from the strategy that might see more movement is the Biden administration’s proposal for some sort of federal backstop to help stabilize the cybersecurity insurance market. If liability for cybersecurity failures were to shift in any meaningful way, cybersecurity insurance would become even more vital than it already is for tech companies and others who hold sensitive data, like health care firms. But that’s assuming insurance companies will cover cybersecurity incidents at all.
In late December, Mario Greco, CEO of the massive European insurer Zurich, told the Financial Times, “What will become uninsurable is going to be cyber.” The comment, made a day after Christmas, added an edge to an already tense climate in which companies grasp for safeguards and solutions as cybercriminal and nation-state attacks impose rapidly rising costs.
A government backstop like the one the national cybersecurity strategy is proposing could provide crucial reassurances, but Tuma points out that it could also come with strings attached for the insurance industry and its clients. He suggests the US government could mandate that, in exchange for its support, anyone who makes cybersecurity insurance claims would be required to report the incident to the FBI’s Internet Crime Complaint Center. “They need more cooperation from the private sector in reporting these events,” Tuma says.
And this question of how to incentivize all different facets of cybersecurity investment is at the core of what the new White House strategy is grappling with.
“I feel the White House is very serious about this,” Veracode’s Wysopal says. “The public-private partnership around cybersecurity is quite real in the federal government today. That is a welcome change from just a few years ago.”