The Biden-Harris Administration issues a new cybersecurity strategy that seeks to hold hardware and software vendors accountable and lift the burden of cybersecurity off end users and small businesses.
On March 1, 2023, the White House issued a new National Cybersecurity Strategy that details the federal government’s plan to enhance the nation’s cybersecurity posture. While there are many notable aspects of the strategy, one striking element is the White House’s acknowledgment that “too much of the responsibility for cybersecurity has fallen on individual users and small organizations.”
The White House argued that the existing free market incentives do not sufficiently reward – and often punish – hardware and software vendors that invest their resources in cybersecurity features. The White House called out hardware vendors that ship products with insecure default configurations or integrate unvetted third-party software, thereby foisting the burden of security on the end user who may not have the knowledge or the ability to secure the device. The White House also called out software vendors who leverage their bargaining power to disclaim any contractual liability for security and therefore have no incentive to invest in security features.
The White House seeks to challenge the status quo through new legislation and regulation that would make hardware and software vendors more accountable for security. The White House declared that “protecting data and assuring the reliability of critical systems must be the responsibility of the owners and operators of the systems that hold our data and make our society function, as well as of the technology providers that build and service these systems.”
Five Pillars of Cybersecurity Strategy
The White House’s cybersecurity strategy is supported by five pillars, including the following:
- Defending critical infrastructure;
- Disrupting and dismantling threat actors;
- Shaping market forces to drive security and resilience;
- Investing in a resilient future;
- Forging international partnerships to pursue shared goals.
The third pillar – shaping market forces – is detailed below.
Across the other four pillars, the White House repeatedly emphasized partnerships between the public and private sectors to share threat intelligence and enable a nimbler response. For critical infrastructure, the White House emphasized the development of sector-specific risk management agencies (SRMAs) to gather and distribute threat intelligence to all market participants and improve resilience.
The White House also aimed to make the federal government’s own systems a model for best practices, highlighting initiatives to eliminate all legacy hardware that does not support the latest cybersecurity tools, and adopt a zero-trust architecture. As examples of those best practices, federal agencies have already committed to “implement multi-factor authentication, encrypt their data, gain visibility into their entire attack surface, manage authorization and access, and adopt cloud security tools.”
Proposed Legislation to Shape Market Forces
In the private sector, the White House outlined the following six strategic objectives to shift the responsibility for security onto hardware and digital service providers.
1. Enact new national data privacy and security legislation
The White House pressed Congress to enact a national data privacy law that imposes clear limits on companies’ ability to collect and transfer personal data and establishes strong security requirements for that data.
2. Enact new legislation to impose duties of care on hardware and software vendors
The White House emphasizes that the costs of cybersecurity failures are often suffered exclusively by end users, including small and medium-sized businesses, while hardware and software vendors leverage their bargaining power to disclaim any liability. The White House argued that “end users bear too great a burden for mitigating cyber risks” and “a single person’s momentary lapse in judgment, use of an outdated password, or errant click on a suspicious link should not have national security consequences.”
The White House called for Congress to enact legislation that prevents hardware and software vendors from disclaiming contractual liability for security breaches and imposes higher standards of care in specific high-risk scenarios. Such legislation would make hardware and software vendors comparable to doctors, lawyers, and fiduciaries who cannot disclaim responsibility to their clients who depend on their expertise.
The White House acknowledged that such legislation should include a safe-harbor framework that enables vendors to mitigate litigation risk.
3. Increase accountability for federal contractors
The White House called for the federal government to leverage its own consumer position to require contractors to build security into their products and enforce violations of procurement regulations. The White House highlighted the Department of Justice’s Civil Cyber-Fraud Initiative which uses existing authorities under the False Claims Act to prosecute federal contractors who knowingly misrepresent the cybersecurity of their products and services.
4. Improve Internet of Things (IoT) hardware security through consumer labeling
The White House called out hardware vendors that ship products that have “inadequate default settings, can be difficult or impossible to patch or upgrade, or come equipped with advanced – and sometimes unnecessary – capabilities that enable malicious cyber activities.” The White House noted these concerns range from consumer products like fitness trackers and baby monitors to industrial products like control systems and sensors. To combat this, the federal government is developing a consumer labeling standard for IoT hardware that discloses the security features of the product and enables consumers to effectively compare products and make informed purchasing decisions.
5. Explore federal cyber insurance backstop
The White House called for an exploration as to whether the federal government should stand up a federal insurance program to respond to catastrophic cybersecurity events.
6. Increase federal spending on cybersecurity
The White House proposed increased federal investments in cybersecurity including through grant programs and research and development initiatives.
Takeaways
Cyberattacks are getting increasingly sophisticated, and they manipulate a digital ecosystem that increasingly features layers of technology built upon older layers, with some of the oldest legacy layers featuring known flaws for which vendors no longer provide any support. Hardware and software vendors often disclaim liability for these known risks and do not disclose these risks to end users who often do not have the knowledge or ability to otherwise protect themselves. While the White House wants Congress to enact new legislation to change that reality, it may be some time before Congress is able to enact any meaningful reform.
In the current landscape, it is important for business owners to get legal and technical advice on the risks posed by the hardware, software, and digital services their business depends on. Octillo monitors developments regarding data privacy and security. Our team of experienced attorneys and devoted technologists is specially equipped with the skills and experience to help businesses evaluate the legal risks posed by modern technologies. Octillo can help businesses negotiate with vendors and develop comprehensive and scalable data privacy and security programs.
*Attorney Advertising: Prior results do not guarantee future outcomes.
