New National Cybersecurity Strategy

Last week, the Biden administration released a new National Cybersecurity Strategy (summary here). There is lots of good commentary out there. It’s basically a smart strategy, but the hard parts are always the implementation details. It’s one thing to say that we need to secure our cloud infrastructure, and another to detail what the means technically, who pays for it, and who verifies that it’s been done.

One of the provisions getting the most attention is a move to shift liability to software vendors, something I’ve been advocating for since at least 2003.

Slashdot thread.

Tags: , ,

Posted on March 6, 2023 at 7:06 AM22 Comments

Comments

Denny11 March 6, 2023 10:50 AM

“shift liability to software vendors”

… if your automobile is stolen, should its manufacturer be legally liable for that theft — due to inadequate security in the vehicle design ?

what is the core ethical principle for liability in a voluntary buyer/seller sales exchange?

Douglas Palmer March 6, 2023 11:01 AM

A hazard I see is software companies imposing onerous security procedures on the user, such as twice-monthly password changes or very complex configuration procedures, then ducking liability if there is any minor error by the user in following the instructions.

chad March 6, 2023 11:37 AM

“… if your automobile is stolen, should its manufacturer be legally liable for that theft — due to inadequate security in the vehicle design ?”

Interesting comparison since Hyundai and Kia are being sued right now for poor design that makes their cars easier to steal.

Clive Robinson March 6, 2023 12:24 PM

@ Bruce, ALL,

Re : Software Liability.

“… a move to shift liability to software vendors, something I’ve been advocating for since at least 2003.”

I used to agree with it, but now I’m more cautious.

If the system is single vendor, such as embeddedd systems, then it takes little effort to establish responsability.

However consider many smart phones with fifty apps on them all using a multitude of software developer kits(SDKs) sending communications back and forth across the Internet to cloud service providers.

How do you prove who was liable or not.

And that’s before you start talking about standards and protocols getting blaimed, and what about Open Source software developers?

My experience with large engineering projects is that “the big boys” will absolve all responsability by picking on the person/organisation that,

1, Can least aford high legal costs
2, Has a large insurance company covering professional indemnity.

Also sorry to say it but US courts almoat always side with US entities against non US entities, regardless of actual fault…

Thus I can see a national retalitory policy comming in outside the US at national level. That is major reciprocating action where the likes of Microsoft and AWS will get treated like feral dogs in foreign courts and get upto 10% of total organisational turnover world wide as fines as first offer…

Yes US corps will belly-ache like crazy, but they will be given the “Seppuku-sayonara” option as other national goverments decide it’s time for their national law to be the one that is preeminent for their citizens etc regardless of where they are. Oh and atleast a little pay back for non-payment of taxation etc etc.

If people think what we are seeing with China is bad news currently wait and see what will happen in response. People in the US laughed at the GDPR then were shocked with what started to happen. So we’ve ended up with even major web sites sticking up pages that say “sorry for technical reasons” or some other nonsense they’ve decided not to risk it. But it will almost certainly get worse for US organisations especially the big name Silicon Valley Mega Corps etc.

Imagine how those Walled Garden App store owners will feel when they get told “selling from your garden – full liability”.

Unless very very carefully done the result will be bl@@dy especially as the US has most to loose on it.

Winter March 6, 2023 12:33 PM

@lurker

And the implications for FLOSS are … ?

I do not think there are many implications as it is formulated now:

One of the provisions getting the most attention is a move to shift liability to software vendors,

Note the word “vendors”. And note Open Source is everywhere. So vendors reselling open source will have some work to do. Or maybe, companies stop selling software and start only selling services?

‘https://www.synopsys.com/software-integrity/resources/analyst-reports/open-source-security-risk-analysis.html

The annual “Open Source Security and Risk Analysis” (OSSRA) report, now in its 8th edition, examines vulnerabilities and license conflicts found in roughly 1,700 codebases across 17 industries. The report offers recommendations for security, legal, risk, and development teams to better understand the security and risk landscape accompanying open source development and use.

With the conclusion:

96% of scanned codebases contained open source

76% of code in codebases was open source

mark March 6, 2023 1:06 PM

  1. Doug Palmer, you shouldn’t be changing your passwords twice a month. NIST 800-53, as of ’19, was saying once in two years (and that’s the medium, not DoD, std for the US gov’t).

But when do we get to add liability to hardware vendors? You, over there, with a smart everything in your house… when did the OEM update the firmware on your refrigerator? Or your thermostat? Or security cameras? Do they know what the words “firmware update” even mean? Here’s $0.50 that they don’t.

SwashbuckingCowboy March 6, 2023 1:17 PM

I don’t see any significant liability legislation being enacted. Lobbyists own Congress in the US and Big Tech will spread the money around to ensure that either no legislation is enacted or that it has a safe harbor provision that will effectively render the legislation worthless.

Phillip March 6, 2023 9:29 PM

Also, the separate issue with spreading hysteria, as with Dominion voting machines. We need to create an environment where companies who do care are rewarded, not singled out.

Clive Robinson March 6, 2023 11:53 PM

@ Phillip,

Re : Do not assume opposites.

“as with Dominion voting machines. We need to create an environment where companies who do care”

There is no more evidence that Dominion “care”, than there is evidence that they were “deliberately vote rigging”, but the latter does not in any way imply the former.

Arguably they exist somewhere in between, but there was “no evidence presented” that they “care” or if they “do care”, what they might “care for” other than to implicitly make profit for their shareholders as required by law. All in an environment without specified standards or testing required in any meaningful way.

And the court case they have brought against an MSM will be unlikely to present evidence that they “care” only that they did not do what the MSM implied they had done based on the ramblings of a few malcontents at the vote outcome, and an orchestrated series of frivolous law suits brought by Sidney Powel, who has been shown to be very sloppy in her work and earnt the disapprobation of more than one judge.

It needs to be noted that Dominion are not just going after the MSM but about a dozen other entities, nor are Dominion alone in taking the particular MSM to court for defimation or similar. It’s just that Dominion are “first up” to try taking a whack at what some see as the “piñata of the year”.

You can read more from the end of last week at,

https://www.forbes.com/sites/alisondurkee/2023/03/03/fox-unlikely-to-settle-with-dominion-over-election-lies-as-high-stakes-trial-nears-experts-say/

But note nowhere in there is anybody talking about Dominion “caring” about anything other than the claims of defimation.

Gert-Jan March 7, 2023 6:49 AM

Bruce,

It’s basically a smart strategy, but the hard parts are always the implementation details

I completely agree, with both parts.

Because what you want to achieve, is that software vendors put “sufficient” effort in securing the product.

But it seems very difficult using US law to achieve this behavior. Because there are so many alternative tactics to avoid getting fined for breach of such law, such as blaming everyone else in the world. Not to mention that the wheels of justice move slowly, adding the eternal delayment tactic and pushing for settlements. Regulating software businesses is only effective if the perceived cost of abiding the law is lower than that of breaking the law.

It is unfortunate that too many people and businesses don’t care much about security. They allow companies like Equifax to simply do a mea culpa and get on with business as usual. I would hope for more social pressure against doing business with security-ignorant companies.

Petre Peter March 8, 2023 8:53 AM

“Airlines do not compete on security”. I think it will be the same for cars. This is because manufacturers will do as little as legally possible for security since they won’t be able to compete in the market with it. Security by default is the idea that will convince manufacturers to compete on security out of the box instead of blaming the user for not configuring the application properly. It’s like buying a car that comes with uninstalled seat belts. If they won’t work then the fault can be blamed on the customer for not having installed the belts properly. Without legislation liability is a game of hot potato.

Anon March 9, 2023 10:49 PM

Software security is incompatible with the surveillance state. A regime like in the US in general (and Biden in particular) which advocates for having a back door into everything, cannot ever be trusted to legislate for cybersecurity. No one who is serious about security would ever trust an authoritarian police state such as the United States to do anything but legislate and mandate vulnerabilities.

Clive Robinson March 10, 2023 4:14 AM

@ Anon,

“A regime like in the US in general (and Biden in particular)”

Oh dear, a factless comment, you really are not thinking are you.

There are firstly many way way worse places from the Pacific West coast through to the East of Europe and down to Australia and South Africa. Then there are one or two in South America as well. Then add in all the off shore and similar mercenary and similar “guns for hire” organisations and mostly the world is a Police State…

Secondly in any democracy with a nominally free press you have the issue of,

“Damed if you do, damed if you don’t”

If sufficient controls are not put in place then activities society think are wrong will prosper.

So society looks down on,

1, Criminal activity.
2, Loss of privacy.

Which do you think society cares most about and by how much, and importantly why?

Well politicians have to make judgment calls on these sort of issues all the time.

In a democracy it’s a case of doing a juggling act whilst tight-rope walking above a firey pit.

In many places it’s easy the person in charge does what they want and those that disagree get persecuted or disappeared.

If you want to disappear to such a place, nobody is realy stopping you.

Winter March 10, 2023 6:16 AM

@Clive

If you want to disappear to such a place, nobody is realy stopping you.

I once had a long drawn out discussion with a person with ideas like anon. However, he was also disgusted by modern “woke” society (although at the time, “woke” was not in vogue yet). In short, he lambasted the depravity, decadence, and decline of the Western democracies.

So he decided he would migrate to this pure state, where society was not woke, decadent, and depraved.

Last I heard from him he was telling he would move to Belarus soon.

PS, I assume that the fact his wife was Belarus played a role too. But he denied that.

Clive Robinson March 10, 2023 7:30 AM

@ Winter

Re : White Russia,

“Last I heard from him he was telling he would move to Belarus soon.”

There is an old joke from the hight of the cold war,

At a science conference three men were standing appart to speaking very animatedly the third with his head slightly canted over listening intently.

The first a veritable bear of a man with dark beard was a white Rusian clearly defending the Russian political system and decrying the decadant capitalist ways of the west.

The second tall and slight in a well cut suite was a Washington university type with button down shirt and a blondish brown moustache, was some what afronted and clearly pushing the libeterian capitalist democracy system and decrying the near police state that was Stalin’s legacy.

The third man finally lifted his head straight and said in a jewish accent, “Gentlemen if I may make an observation?” to which the first two stopped and looked enquiringly at him. He went on “It appears to me that there is in reality little difference between your nations”, at which point the first two looked at him incredulously. So he went on, “as nations you have strong ideals of what is right and what is wrong” which drew nods from the other two. So he went on, “Infact I can tell your morality is such that your leaders chose to lock up what both your nations hold most dear” with a nod to the Rusian he said “With you it is the peoples freedom” and to the Anerican “and you it is your peoples money” with which he nodded and said “Gentlemen, if you will excuse me, I think you have much to discuss” turning he walked slowly away shaking his head sadly.

As a Frenchman once observed,

“The more things change, the more they stay the same…”

Anon March 10, 2023 11:35 AM

The US is a right-wing imperialist authoritarian government, that regularly overthrows democratic governments, regularly invades sovereign nations on the flimsiest pretence, has the highest incarceration rate in the world. It has a well documented global torture program. Police regularly brutalize and kill your own people, more so than any other western democracy. It spends more than half the planet on its military, and has a highly militarized domestic police force outfitted with surplus military gear that is focused almost exclusively on policing its urban black population. It has virtually no welfare state compared to other developed western nations. None of what I am saying is secret or controversial.

I don’t understand people bringing up “woke”, other than maybe American-centric delusion that a Democratic US president is somehow “left-wing” (hahaha), and so that if anyone criticizes they must be an American Republican? Both parties would be considered far-right in the rest of worlds developed democracies.

The idea that a police state like the United States is capable of protecting people’s data when it has entire agencies dedicated to mass digital surveillance and domestic spying is delusional. If anything, it will mandate back-doors that will inevitably be exploited by the USs numerous enemies.

Chris March 15, 2023 7:05 PM

Almost all cyber problems boil down to the fact that corporations are legally responsible for their profits, with no consideration whatsoever for any protection of their customers/users.

Making software companies “liable” isn’t going to fix anything, since the corporations aren’t using effective end-user protections in the first place (no need – not their problem).

What WOULD fix the problem, is making corporations liable for losses their customers suffer when those corporations have chosen not to do all they reasonably can to protect those customers…

i.e. make them use available solutions, instead of watch them continually ignore innovation…

223 ammo March 30, 2023 3:37 AM

“Interesting comparison since Hyundai and Kia are being sued right now for poor design that makes their cars easier to steal.”

Software vendors should 100% be responsible for gaps in their defense. But if losses are made due to poor execution of decisions made by operator – in no way should vendor be responsible in my opinion.

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.