White House Targets Software Provider AccountabilityAdministration Developing 'Liability Regimes' for Manufacturers, Top Official Says
The federal government will ramp up efforts to investigate what it calls "liability regimes" for commercial software developers as part of a Biden administration effort to goad the IT market into adopting safe coding practices.
National Cyber Director Harry Coker on Wednesday said that his office is exploring liability regimes for manufacturers.
The administration's 2023 national cybersecurity strategy calls for legislation to prevent the software industry from disclaiming all liability and to establish higher standards of care (see: US Cybersecurity Strategy Shifts Liability Issues to Vendors).
The White House is "working with academic and legal experts" to explore liability regimes and will soon engage with industry, Coker said.
"Some of the most dangerous vulnerabilities that criminals look to exploit are memory safety bugs and memory safe coding languages," he added. The Department of Homeland Security has urged developers to adopt "safety by design" principles in a campaign that relies more on pleas for better security than on regulatory bite (see: CISA, Others Unveil Guide for Secure Software Manufacturing).
The Cybersecurity and Infrastructure Security Agency launched a "secure by design" alert series in 2023 that guides manufacturers on how to shield web management interfaces from malicious cyber activity and address critical vulnerabilities. The cyber defense agency previously released a secure software self-attestation common form to provide assurances that software is securely developed and follows a set of baseline cybersecurity standards, including encrypting sensitive data, enforcing multifactor authentication and implementing defensive cybersecurity practices.
The attestation form is a "good start" for software manufacturers to begin understanding "what this secure process should look like," according to Chris Wysopal, co-founder and chief technology officer of Veracode.
"All software is going to have some level of vulnerabilities," Wysopal told Information Security Media Group. "That said, we do know how to make software that has significantly fewer vulnerabilities by following proven secure development processes.
Wysopal suggested that the federal government establish a safe harbor in which "software developed with a secure process can be described as the vendor performing their security due diligence and not be held liable."
CISA released a request for information in December seeking input from industry stakeholders on how manufacturers can improve software development practices with enhanced cybersecurity measures. Director Jen Easterly said in a statement at the time that the shift to "secure by design" principles "requires action by every technology manufacturer and clear demand by every customer."
"While we have already received a wide range of feedback on our secure by design campaign, we need to incorporate the broadest possible range of perspectives," Easterly said.