The new National Cybersecurity Strategy from the Biden administration ranges across a number of topics, but the one that jumps out the most is a call for software liability reform. Contract law presently insulates publishers from all but the most serious cases of injury or death, something that has been the standard since computers became common in homes and businesses.
In addition to potentially holding publishers liable for security vulnerabilities, the Cybersecurity Strategy calls for more aggressive pursuit of foreign cyber threats via international cooperation. Critical infrastructure companies are also likely to face tougher standards and regulations, a process that the administration has already begun via executive orders.
National defense, new liability terms addressed in cybersecurity strategy
The most unsurprising element of the National Cybersecurity Strategy is that critical infrastructure cyber defenses will continue to be bolstered, though the administration is now outlining a plan that would standardize regulations across these sectors. To date, certain sectors (such as oil and gas) have been the target of specific executive orders.
The cybersecurity strategy is also calling for harmonization and improved efforts among international partners in terms of tracking and disrupting cyber criminals. While the plan does not yet get into great detail in this area, this could mean some sort of formal collective defense agreement that obligates all participants when one experiences a serious ransomware attack or something of that nature.
But thus far, most of the cybersecurity strategy appears to be falling on the private sector. The administration is seeking enhanced public-private collaboration on cyber defense, with new information sharing programs and the implementation of security orchestration for real-time threat response (an idea that began to develop in government in the wake of the SolarWinds breach).
Cybersecurity strategy seeks landmark change to law
The biggest change for private companies, by far, is the prospect of software liability reform. Contract law presently allows companies to craft user agreements that essentially shield them from just about any defects that emerge in code. The administration has sent a clear signal that it wants this to change.
The shift in direction appears to be prompted both by the sharp rise in cyber crime in recent years, and the fact that internet connectivity is now being built into nearly every sort of device (particularly as 5G continues to roll out and expand the scope of what “smart” devices can do). The administration appears to be seeking a long-term and measured approach to this, however, calling for safe harbor provisions for manufacturers that hew to safety guidelines as this transition is made.
However, the administration is also not taking direct action on software; the National Cybersecurity Strategy makes clear that this is ultimately a matter for Congress to decide the specific path forward on (in terms of the extent of liability and penalties). The administration’s initial contribution to this process is to undertake development of standards of care for software development, as well as a framework for safe harbor agreements.