Make companies liable for software insecurity, top cybersecurity official says

Make companies liable for software insecurity, top cybersecurity official says


Welcome to The Cybersecurity 202! David DiMolfetta is going to be the full-time researcher for both us and The Technology 202, and he contributed on his very first day! On occasions when he takes over in my absence, he’s surely going to diversify the music recommendations I’m prone to giving around here. Please give him a warm welcome.

Reading this online? Sign up for The Cybersecurity 202 to get scoops and sharp analysis in your inbox each morning.

Below: The National Security Council is hosting a roundtable on artificial intelligence today with experts from the United States and European Union, and the U.S. Marshals Service suffered a “major” security breach last week. First:

CISA director hops into the thorny topic of software liability

Congress should advance legislation allowing software manufacturers to be held legally liable for the insecurity of their products, and it should also shield companies that develop secure software from legal liability, Cybersecurity and Infrastructure Security Agency Director Jen Easterly said Monday.

By calling for that proposal, Easterly waded into one of the toughest cyber issues to crack.

  • The idea of holding software makers liable for their security shortcomings has floated around for more than two decades in the United States, with noted cryptographer Bruce Schneier campaigning for it as far back as 2002.
  • The congressionally created Cyberspace Solarium Commission, which has found success with most of its proposals to lawmakers, has deemed its recommendation on software liability one of the two hardest to get to the finish line.

But Easterly mentioning it “made my day,” said Mark Montgomery, who was executive director of the solarium commission and serves in the same role in its successor organization CSC 2.0. It’s “one of the hardest kinds of legislation to get done in Congress,” he told me, because it would hold a whole industry accountable for its security missteps.

Easterly’s proposal comes amid a CISA push for tech companies to offer products that are “secure-by-design,” meaning that security is baked into the design process from the beginning, and “secure-by-default,” which refers to products that arrive with secure settings at no additional cost.

“Government can work to advance legislation to prevent technology manufacturers from disclaiming liability by contract, establishing higher standards of care for software in specific critical infrastructure entities and driving the development of a safe harbor framework to shield from liability companies that securely develop and maintain their software products and services,” Easterly said during a speech at Carnegie Mellon University.

Easterly elaborated afterward in a question-and-answer session with the audience:

  • It’s problematic that when users buy a new tech product they have to click “agree” on lengthy terms of service documents, she argued, and users have learned that they will have to continually update their software. “Nobody reads that. But essentially by just saying ‘agree,’ because, ‘Yeah, I’ve got to get my iPhone,’ you’re accepting liability,” Easterly said. “The burden is being placed on the user, and that’s what we have to stop.”
  • At the same time, it’s understandable when a company gets hit by a sophisticated hacker with ties to another nation’s government, and that’s when the idea of a safe harbor comes into play, Easterly said. “If companies are doing all the right things and still get breached, I think you bring that into the calculus,” she said.

But she hasn’t reached out to Congress or industry to gauge interest in the legislative proposal, she told reporters after the event. She said she expects to see “some of the ideas I previewed today in the national cyber strategy,” a long-awaited Biden administration policy blueprint. The Office of the National Cyber Director worked with industry on the document, she noted. 

“Obviously we want to work any of these things very closely with the Congress, and frankly, cybersecurity is an issue that has enjoyed bipartisan support and we want to continue to have that bipartisan support,” Easterly said. “Industry realizes the importance of this as well, so I’m looking forward to having robust conversations with both.”

Because of the push-and-pull between software companies that want protections and consumer advocates who want accountability, the idea has been tough to get off the ground, Montgomery said. 

“If she can thread that needle, good on her,” he said of Easterly. Further complicating matters, Montgomery said, is deciding specifics like, “When does that liability end? When you stop doing software upgrades?” Microsoft supported Windows 7, released in 2009, with patches until 2020.

The Solarium panel drafted sample legislation as a starting point for any lawmaker who wants to embrace the issue, but it has had trouble finding takers, as of a CSC 2.0 report in the fall.

It shares space among the commission’s most difficult proposals with consolidating congressional oversight of cybersecurity into one committee each in the House and Senate. Lawmakers are notorious for not wanting to give up their existing oversight powers.

Two arguments cautioning against the liability legislation idea go like this, courtesy of Chris Wysopal, a member of the famed hacker collective L0pht and the founder and chief technology officer of the cybersecurity company Veracode:

  • “It’s virtually impossible to clearly and accurately determine a single vendor to blame,” he wrote for Forbes in 2020. “Who would you choose to be liable for a security breach? The company that was breached? The vendor of the hardware or software that was compromised as the initial attack vector? Perhaps the vendors of the cybersecurity platforms and tools in place to ostensibly detect and block threats before they can become successful attacks?”
  • “It is impractical to think that any software, hardware or firmware can be created that is absolutely secure,” Wysopal wrote. “The question of liability is arguably too complex for one law to adequately address.” (Easterly did address this in part, as I wrote above.)

In addition, House Republicans like Homeland Security Committee Chairman Mark Green (R-Tenn.) have appeared skeptical of imposing additional cybersecurity regulations on the private sector. A spokesperson for Green did not respond to a request for comment.

One industry group that represents prominent software makers, BSA |  The Software Alliance said in response to Easterly’s comments that it has been pushing secure software guidelines and has listed improving software security as its top cyber agenda item.

“Laws and policies that seek to improve software security should be risk-based, technology and vendor-neutral, and incentivize innovation,” Aaron Cooper, vice president of policy at the group, told me via email. 

The Information Technology Industry Council, another group, “has long advocated for secure-by-design practices as an important component of a holistic approach to cybersecurity risk management,” said John Miller, its senior vice president of policy and general counsel. 

The groups look forward to working with the Biden administration and Congress, Cooper and Miller said.

Jay Bhargava, a spokesperson for Senate Homeland Security and Governmental Affairs Chair Gary Peters (D-Mich.), said, “We’re currently examining this issue.”

Exclusive: NSC to host AI roundtable with U.S., E.U. experts

The National Security Council is hosting a high-profile group of artificial intelligence and policy experts today as part of a new collaboration between the U.S. and E.U. on AI, according to details shared exclusively with The Cybersecurity 202. 

The meeting is meant to kick-start discussions about the technology’s growing threat across the globe. It will feature presentations by research teams in both countries about their progress so far in delivering benefits for extreme weather and climate forecasting, emergency response management, health and medicine improvements, electric grid optimization, and agriculture optimization, according to an NSC spokesperson who spoke on the condition of anonymity to speak candidly on the matter. 

The collaboration comes as the cyber world is wrestling with how to deal with artificial intelligence because many of its impacts remain unknown. Last month’s announcement of the collaboration said it would be crucial to establishing a secure internet and maintaining digital privacy. 

Sensitive information leaked in ‘major’ breach of U.S. Marshals Service

The U.S. Marshals Service on Monday confirmed that it suffered a significant data breach earlier this month in which hackers were able to access sensitive law enforcement information about the subjects of agency investigations, NBC News’s Andrew Blankstein, Michael Kosnar, Jonathan Dienst, and Tom Winter report.

In a statement Monday, Marshals Service spokesperson Drew Wade told NBC that the Feb. 17 extraction “contains law enforcement sensitive information, including returns from legal process, administrative information, and personally identifiable information pertaining to subjects of USMS investigations, third parties, and certain USMS employees.”

He added that ransomware affected a stand-alone system, which was quickly disconnected from the network. The Justice Department has already launched a forensic investigation into the breach and the agency has also been able to create a workaround so that it can still conduct critical business. 

A senior official familiar with the matter who spoke on the condition of anonymity to discuss the incident said that it did not involve the database related to the witness protection program, and that none of those individuals were in danger because of the breach. 

Don’t rush to require SBOMs, industry group says

Itemized lists of components that make up software products, known as Software Bills of Materials (SBOMs), are increasingly recognized as helpful in advancing software security, an industry group said in a policy paper today — but it stressed that policymakers should not rush to institute SBOMs in statutory cyber reporting requirements. 

The Information Technology Industry Council said in the paper it shared exclusively with The Cybersecurity 202 that SBOMs can help organizations identify their potential risk vulnerabilities. But requirements now would be impractical because present-day SBOM reports would not necessarily align with other reporting requirements developed later, and the concept still needs time to develop before becoming law, the group said. Lawmakers excluded an SBOM proposal from last year’s defense policy bill.

Many thanks to our new colleague David DiMolfetta for helping report this item. 

White House gives agencies 30 days to impose federal device TikTok ban (CNBC)

House panel to debate bill allowing president to ban TikTok (The Hill)

‘Take It Down’ tool helps young people remove explicit online images (Wall Street Journal)

Danish hospital websites targeted in cyber attack (The Local Denmark)

New Exfiltrator-22 post-exploitation kit linked to LockBit ransomware (Bleeping Computer)

Murdoch admits some Fox hosts ‘were endorsing’ election falsehoods (By Jeremy Barr, Sarah Ellison and Rachel Weiner)

TikTok banned on all Canadian government mobile devices (Associated Press)

  • CISA Chief Information Officer Robert Costello will deliver remarks virtually at the 2023 Information Security and Innovation Forum today at 8:05 a.m. 
  • The Brookings Institution will hold a discussion with Assistant Attorney General Matt Olsen about the potential reauthorization of the Foreign Intelligence Surveillance Act today at 9:30 a.m. 
  • CISA Assistant Director for Stakeholder Engagement Alaina Clark will speak at the Academia Involvement in Community Cybersecurity Conference at the University of Texas today at 12:40 p.m. 
  • The House Select Committee on China will hold its first hearing on decoupling the U.S. from China today at 7 p.m. 

Thanks for reading. See you tomorrow.