President Biden’s recently released National Cybersecurity Strategy details the Biden administration’s efforts to bolster the nation’s cybersecurity amid an evolving threat landscape, including vast cyber-criminal enterprises and adversaries such as China, Russia, Iran, and North Korea. In a shift from its prior focus on voluntary incentives to drive cybersecurity enhancements, the Biden administration’s strategy calls for a variety of measures aimed at increasing government regulation to address cybersecurity gaps. The strategy:
- Seeks for the first time to shift liability onto developers of insecure software products and services for developing insecure products;
- Calls on Congress to enact national legislation to place limits on the ability to collect, use, transfer, and maintain personal data;
- Calls for cybersecurity minimum standards and other regulations to secure critical infrastructure sectors; and
- Seeks to leverage federal procurement rules to impose cybersecurity requirements, with a threat of civil actions against government grantees and contractors that fail to meet cybersecurity obligations.
The strategy document, released publicly last week, reflects the administration’s evolving view that market forces alone have failed to promote adequate cybersecurity protections, and that regulation will be needed to correct these market failures. What these strategic ambitions will mean in practice remains to be seen. Many of the strategy’s calls to action will require legislation and/or lengthy rulemaking processes that are likely to play out over a number of years.
In addition to the focus on regulation, the strategy also prioritizes the government’s growing efforts to disrupt and dismantle cyber threat actors in coordination with international partners, and recognizes the need for long-term investments in cybersecurity to build a robust cybersecurity workforce, coordinate research and development investments in cybersecurity, and use market forces and public programs to strengthen the security of the nation’s information technology systems.
Shifting Liability to Hold Technology Companies Responsible for Vulnerabilities in Their Products
The strategy is animated by a view that while “[e]very day cyber defenders foil state-backed attacks and prevent criminal plots around the world . . . the underlying structural dynamics of the digital ecosystem frustrate their efforts,” and technology remains susceptible “to disruption [and] vulnerable to exploitation.” One of the strategy’s main pillars is to:
redistribute the burden for mitigating cybersecurity risks from end users – such as individuals, small business, state and local governments, and infrastructure operators – to the owners and operations of the systems holding data and the technology providers that build and service those systems.
The proposed solutions to these problems are “fundamental shifts in how the United States allocates roles, responsibilities, and resources in cyberspace.” The strategy seeks to hold accountable companies “that fail to take reasonable precautions” to secure their products and “fail to live up to the duty of care they owe consumers.”
Jen Easterly, the head of the U.S. Cybersecurity and Infrastructure Security Agency (CISA), previewed the administration’s position in a February 27, 2023 speech at Carnegie Mellon University in which she urged a shift in responsibility – and potentially legal liability – to software vendors and other developers of technology that can be exploited in cyberattacks. This comment echoed the sentiments expressed in a recent article in Foreign Affairs magazine by Ms. Easterly and CISA Executive Assistant Director Eric Goldstein, in which they argue that fixing security problems at the design stage is essential to ensure the safety and resilience of the “cyberspace ecosystem.” Shifting liability to those companies that make the nation’s technology, they argue, is no different than holding car manufacturers responsible for the safe design of their vehicles.
Easterly and Goldstein acknowledge the challenges that heightened security investment will create for smaller tech companies and new market entrants, but posit that creativity will save the day and that heightened security should be viewed not as a cost but as a positive differentiator for U.S. companies. But it is also true that, depending on the nature of the regulations, resource-strapped companies may be discouraged from innovating, if in doing so they face exposure to potentially massive liability.
How such a liability shift is implemented in practice, to the extent Congress even takes up the issue, will matter a great deal. The strategy offers few details for what software liability would look like, but a core tenet of the administration’s vision is to encourage software developers to adhere to a safe harbor framework for secure software development that would be based on the National Institute of Standards and Technology (NIST) Secure Software Development Framework.
The administration historically has encouraged technology providers and the makers of hardware and software products to voluntarily disclose and correct identified vulnerabilities. It remains to be seen whether attempts to shift liability to vendors may have the effect of discouraging the transparency and cooperation that the administration seeks from the tech industry. Unsurprisingly, technology companies and the associations that represent them have reacted with concern over the new approach. Some of the proposed solutions, such as to “reshape laws that govern liability for data losses and harm caused by cybersecurity errors, software vulnerabilities, and other risks created by software and digital technologies” have led to particular unease among the technology sector. Industry players also question where the administration obtained the information about the supposed “insecure” software products and services that the strategy document claims are rampant.
Broad Implications for Government Contractors and Subcontractors
Concerns may be especially acute for those software and hardware vendors that sell products to the U.S. government. The federal government has broad authority to implement policy changes in its capacity as a buyer of goods and services, and has repeatedly used this authority to influence cybersecurity policy. The strategy explicitly calls for using the government’s purse strings as means of advancing the administration’s cybersecurity agenda, and this is an approach we’ve seen previously, including in the administration’s 2021 Executive Order on Improving the Nation’s Cybersecurity.
Building on the requirements of the 2021 Executive Order, the government announced an attestation requirement for manufacturers of commercial software sold to the federal government to confirm compliance with NIST software supply chain requirements. This and other cybersecurity representations made by government contractors, product manufacturers, and service providers are examples of the types of regulations called for by the new strategy. These requirements are supplemented by added scrutiny from the Department of Justice (DOJ) Civil Cyber Fraud Initiative, which raises the prospect of potential contractual and False Claims Act (FCA) liability for security lapses.
As we have previously discussed, the DOJ’s FCA enforcement efforts through the Civil Cyber Fraud Initiative are to focus on: (1) entities that knowingly provide “deficient” cybersecurity products or services to the government; (2) entities that knowingly misrepresent their cybersecurity practices and protocols and, as a result, fail to comply with regulatory and contractual cybersecurity obligations; and (3) entities that knowingly fail to fulfill their regulatory and contractual obligations to report cybersecurity incidents and breaches. The strategy suggests that the government may take an expansive view of what constitutes a “deficient” cybersecurity product, to include products that contain an unreasonable amount of vulnerabilities.
The administration expressly acknowledges the Civil Cyber Fraud Initiative’s role in ensuring cybersecurity compliance, and we expect increased DOJ scrutiny and enforcement regulations pertaining to sales to the U.S. government to be part of the implementation of the strategy.
Other Cybersecurity Goals and Priorities
We briefly discuss some of the other priorities of the strategy below.
New Cybersecurity Regulations Aimed at Critical Infrastructure
In July 2021, President Biden signed a National Security Memorandum on “Improving Cybersecurity for Critical Infrastructure Control Systems.” The memorandum, among other things, directed the creation of cybersecurity performance goals for critical infrastructure and established a voluntary effort between the federal government and the critical infrastructure community to facilitate the deployment of technology and systems that provide threat visibility, indicators, detections, and warnings. More recently, in March 2022, Congress enacted the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA), which, among other things, required CISA to issue regulations requiring covered entities to report cyber incidents within 72 hours and ransom payments within 24 hours. See U.S. Congress Passes Cyber Incident and Ransom Payment Reporting Requirement and U.S. Congress Introduces Bill That Would Require Mandatory 24 Hour Cyber Breach Notification for Government Agencies, Contractors, and Operators of Critical Infrastructure for our prior coverage of CIRCIA.
The strategy proposes to build on these efforts by pursuing new and updated cybersecurity regulations “calibrated to meet the needs of national security and public safety, in addition to the security and safety of individuals, regulated entities, and their employees, customers, operations, and data.” Strategy at 8. The administration has indicated that it intends to leverage existing cybersecurity frameworks and standards, such as CISA’s Cybersecurity Performance Goals and the NIST Framework for Improving Critical Infrastructure Cybersecurity, when crafting these new regulations. Id. In theory, any new regulations should have underpinnings in existing authorities with which affected organizations are familiar, and moreover, the strategy includes a welcome call for more uniformity and harmonization across the regulations that apply in different sectors.
Use of Government Funding to Modernize Cybersecurity
The strategy promises renewed investment, through federal contracts and grants, to modernize federal technology. For the government itself, the Office of Management and Budget will lead “development of a multi-year lifecycle plan” to accelerate technology modernization and the elimination of legacy systems that are costly to maintain and difficult to secure. In terms of further research and development in partnership with industry and academia, the government will fund projects in artificial intelligence, operational technologies and industrial control systems, cloud infrastructure, telecommunications, encryption, system transparency, and data analytics. The administration suggests these research efforts “will facilitate the proactive identification of potential vulnerabilities” and the means to mitigate them.
Coordination of Efforts to Disrupt Criminal and Foreign Actors
The administration devotes a pillar of the strategy to the need for the U.S. government, including the Department of Defense, DOJ, and federal law enforcement agencies, to better coordinate to disrupt the activities of cyber criminals and nation state actors. The strategy also recognizes that cooperation with the private sector and with other countries is a key part of this effort.
Conclusion
Implementation of the administration’s cybersecurity strategy could result in a significant shift for technology manufacturers and service providers – away from a purely cooperative, voluntary posture and toward regulatory mandates and enforcement. While major legislation may be unlikely in the current political environment, many changes could be implemented through the regulatory process. Potentially impacted software and hardware manufacturers, SaaS providers and integrators should remain vigilant, prepare for forthcoming changes, and consider working through the federal rulemaking process to influence proposed regulations before they are finalized.