This week, CyberScoop reported on new developments in U.S. software cybersecurity liability:
Speaking at the ICS-focused security conference S4x24 in Miami, [Deputy Assistant Director for Cyber Policy and Programs in the Office of the National Cyber Director] Brian Scott also noted that cybersecurity pros can expect an update on software liability reform in the next implementation plan release, and the Biden administration is currently looking at developing a framework around software liability. The White House is also convening a symposium of law professors at the end of March around the issue, he said.
“The administration is committed to working with Congress to develop legislative action to incentivize development of software with more secure code,” Scott said.
One aspect of the framework will be exploring how best to implement safe harbor incentives for companies that are developing code using secure methods. Companies that align with those best practices — which are still being explored — are less likely to face legal issues down the road.
“We want to raise the bar here and raise the standards of care to a higher level for the development of software,” Scott said.
This builds on the language about software liability in the National Cybersecurity Strategy that was released in May 2023:
“Companies that make software must have the freedom to innovate, but they must also be held liable when they fail to live up to the duty of care they owe consumers, businesses, or critical infrastructure providers. Responsibility must be placed on the stakeholders most capable of taking action to prevent bad outcomes, not on the end-users that often bear the consequences of insecure software nor on the open-source developer of a component that is integrated into a commercial product.”
And the CyberScoop reporting specifically references the safe harbor framework previously described in the National Cybersecurity Strategy:
“To begin to shape standards of care for secure software development, the Administration will drive the development of an adaptable safe harbor framework to shield from liability companies that securely develop and maintain their software products and services. This safe harbor will draw from current best practices for secure software development, such as the NIST Secure Software Development Framework. It must evolve over time, incorporating new tools for secure software development, software transparency, and vulnerability discovery."
Organizations that directly supply U.S. federal government agencies are already contending with new supplier requirements that have been coming into effect over the last year. These additional software cybersecurity liability changes described in the CyberScoop reporting will apply to *all* organizations doing business in the U.S., whether they sell to the government or not.
To prepare for cybersecurity liability changes, every commercial software developer should be working to systematically demonstrate that they are following best practices for secure development, such as those articulated in the NIST Secure Software Development Framework. That will prepare these organizations to find a safe harbor from liability if and when the new liability regime comes to pass, protecting them from existential financial risk and improving their competitiveness against organizations who delay their compliance. Plus, following these secure development practices is a great way to improve security and reduce risk to your business, anyway!
How can organizations demonstrate that they are following the prescribed best practices, particularly for third-party open source software incorporated into their products and services? Partnering with independent upstream open source maintainers to establish systematic documentation that open source packages are following the secure development practices (for example, through platforms like Tidelift) will be an essential part of the solution. Attesting to these open source development practices will be a critical part of creating a shield against the approaching new liability framework.