On March 2nd, the U.S. government issued the long anticipated 2023 National Cybersecurity Strategy, the next step in a series of recent actions designed to improve cybersecurity for federal government agencies, the nation’s businesses, and citizens as a whole. (Learn more about recent government actions on our government open source cybersecurity resource center.)
This newly released strategy will have a widespread impact on future policies and laws emerging from the government regarding cybersecurity. But how specifically will it impact open source maintainers and those who contribute to widely used open source projects?
In this post we cover three key areas we believe open source maintainers should be watching closely.
A top headline coming out of many articles about the National Cybersecurity Strategy is that the government intends to hold commercial software companies liable for damages caused by security flaws in their products, much like manufacturers in other industries like the automobile or healthcare industries are responsible for flaws in their products.
From the strategy document:
"Companies that make software must have the freedom to innovate, but they must also be held liable when they fail to live up to the duty of care they owe consumers, businesses, or critical infrastructure providers. Responsibility must be placed on the stakeholders most capable of taking action to prevent bad outcomes, not on the end-users that often bear the consequences of insecure software nor on the open-source developer of a component that is integrated into a commercial product.”
The last line in particular is important because it specifically calls out that open source maintainers will "not" be held liable for the consequences arising from their project being integrated into a commercial product. This line stands in contrast to similar language in the recent EU Cyber Resiliency Act that, while protecting non-commercial open source, made no similar protections for what it described as commercial open source.
In a press briefing after the strategy was released, an unnamed White House official offered more color on how the liability question might impact open source maintainers:
"So, on the liability question, the first thing that we’re trying to do here is make sure that we’re placing liability where it will do the most good. So, we don’t want to place liability, say, on the developers of open-source software who don’t have any resources, whose software is used by commercial providers to build their products.
If we placed liability there, we don’t get the changes that we want in the ecosystem. So, the first principle we’ve had is to place liability where it will do the most good. And in some people’s articulations, that’s on the final goods-assembler. Right? The company that is building and selling the software, they need to be liable for what they put in it and work to reduce vulnerabilities and use best practices.
We can’t have them devolving that responsibility down to a two-person, open-source project that hasn’t received any funding in the last five years. That’s not going to get us the outcome that we want.”
We recommend open source maintainers pay very close attention to how these government actions continue to refine how they view liability for commercial software and open source, and we’ll keep you informed as we gain understanding of any liability implications for maintainers. For now, we find the language in the National Cybersecurity Strategy very promising for protecting open source maintainers.
The strategy also makes clear that the government intends to step in with more regulations and requirements around cybersecurity. This will—and in fact already is—impacting many open source maintainers.
While the strategy states that software producers will be held liable for security flaws in their products, it also offers a bit of a carrot to producers: a “liability shield” and “safe harbor protections” for organizations that can show they are following secure development practices.
The strategy document points to compliance with the NIST Secure Software Development Framework as one clear way for organizations to show they are following secure development practices. In return for following this development framework, organizations could expect protections from liability from the government (not as of yet clearly articulated), so organizations will be highly motivated to document their development practices and those of the open source packages they rely on.
How will this impact maintainers? As organizations look for ways to take advantage of this liability protection from the government (and avoid an extreme negative outcome like Equifax paying $700M in government fines in 2019 after failing to upgrade a critical open source component), they will come to maintainers asking them to attest to the secure development practices in use on their projects so that they can in turn attest to fully complying with the NIST framework. (Here’s a post that details the NIST SSDF recommended practices in more detail.)
At Tidelift, we believe organizations shouldn’t expect maintainers to do this work for free, which is why we pay maintainers to validate that their packages follow common secure development practices like those outlined in the NIST SSDF and the OpenSSF Scorecards project.
The final area for maintainers to keep their eyes on is the promise in the National Cybersecurity Strategy that the government will invest more in efforts to improve open source security. From the strategy document:
“To further incentivize the adoption of secure software development practices, the Administration will encourage coordinated vulnerability disclosure across all technology types and sectors; promote the further development of SBOMs; and develop a process for identifying and mitigating the risk presented by unsupported software that is widely used or supports critical infrastructure. In partnership with the private sector and the open-source software community, the Federal Government will also continue to invest in the development of secure software, including memory-safe languages and software development techniques, frameworks, and testing tools.”
We’ll be excited to see more details regarding how the U.S. government plans to work with the open source software community to improve software security, and will bring them to you as we find out more.
Tidelift CEO Donald Fischer recently hosted a webinar briefing on the impacts of the National Cybersecurity Strategy, and you can watch it on demand at any time.
How do you think recent government actions like the National Cybersecurity Strategy in the U.S. will impact open source maintainers?
We’ve also opened our call for presentations for Upstream 2023, and want to hear from you! Do you have thoughts or perspectives to share about the accidental open source software supply chain and new cybersecurity regulations? We’re accepting presentations until April 7, 2023.