Mar 2, 2023

Biden’s Cyber Plan Would Hold Software Makers Responsible in Hacks

Katrina Manson and Courtney Rozen, Bloomberg News

A woman uses a laptop as she holds a mobile phone in this arranged photograph in London, U.K., on Thursday, Sept. 10, 2020. U.K. consumer spending jumped the most since 2016 last month, led by a surge in Internet purchases as bars and restaurants continued to suffer. Photographer: Hollie Adams/Bloomberg , Bloomberg

(Bloomberg) -- The Biden administration is set to release an aggressive new national cybersecurity strategy on Thursday that seeks to shift the blame from companies that get hacked to software manufacturers and device makers, putting it on a potential collision course with big technology companies.

The 35-page strategy, shared in advance with a group of reporters, asserts that software makers must be “held liable when they fail to live up to the duty of care they owe consumers, businesses or critical infrastructure providers.”

“Responsibility must be placed on the stakeholders most capable of taking action to prevent bad outcomes, not on the end-users that often bear the consequences of insecure software nor on the open-source developer of a component that is integrated into a commercial product,” according to the document.

The new strategy commits the administration to work with Congress and the private sector “to develop legislation establishing liability for software products and services.”

President Joe Biden said in a statement that the strategy “takes on the systemic challenge that too much of the responsibility for cybersecurity has fallen on individual users and small organizations.”

A top Google official, for one, said his company welcomed the Biden administration plan. Phil Venables, Google Cloud’s chief information security officer, said there are many products in the marketplace that don’t have basic protections built in. The strategy could force companies that aim to undercut competitors with cheap products that lack security protections to meet minimum security standards, an important development, Venables said.

Senior US officials have publicly complained that technology companies, including Microsoft Corp. and Twitter Inc., have failed to sufficiently secure user accounts.

Jen Easterly, director of the Cybersecurity and Infrastructure Security Agency, this week fired a broadside over such failings, including flawed code and poor practices, which she said make users susceptible to hacks.

Such an ambitious effort comes despite the failure of the Biden administration to advance legislation in its first two years to rein in the power of the biggest tech companies including Alphabet Inc.’s Google, Apple Inc., Amazon.com Inc. and Meta Platforms Inc.

The White House endorsed such moves although critics said it didn’t push the Democratic Senate Majority Leader Chuck Schumer hard enough. Schumer didn’t put a major tech reform bill up for a vote last year.

A senior administration official, who spoke on condition of anonymity to brief reporters, conceded shifting liability for cybersecurity breaches to software companies would require legislative action and was part of a long-term process that could take as long as a decade. The official added that the administration didn’t expect to see a new law on the books within the next year.

The next presidential election is less than two years away, raising the question of whether the administration can even come close to delivering the most ambitious goal of its new strategy to protect Americans from hackers.

The senior official later told Bloomberg News that the administration would seek to capitalize on bipartisan support for greater cybersecurity. However, short of legislative action, customers could bring civil claims against software and device manufacturers in a bid to improve security standards and shape market forces, an approach the administration endorses, the official said.

The official said there was room for collaboration with the software industry rather than confrontation. In addition, the administration hopes that its plan will force companies to do better in securing its software to win customers in a competitive marketplace, the official said.

The administration’s strategy also promises a stronger stance against ransomware, in which criminals encrypt a victim’s files until an extortion fee is paid. (Many attackers now steal files, too, and threaten to post them publicly unless paid).

In increasingly aggressive approach to disrupting such groups, the Justice Department last year closed down crypto exchanges used by ransomware criminals through the use of sanctions and the FBI earlier this year took down the Hive ransomware group by seizing control of servers and websites used by its members in coordination with German and Dutch officials.

The strategy will also seek to expand minimum cybersecurity requirements for critical infrastructure sectors without additional legislation, likely to be one of its most achievable aims.

Anne Neuberger, deputy national security adviser for cyber and emerging technology, told reporters the administration recognized information-sharing and partnership with industry alone was inadequate to overcome risks to US critical infrastructure and that the administration now needs to “implement minimum mandates.”

She added that the administration had already put in place minimum cybersecurity requirements for pipelines and railways and would announce them for additional industries, though she did not say which ones.

Neuberger said the US government can use purchases to shape a market. As a New Yorker, she said she appreciates restaurant hygiene ratings that are included entrance doors, and that labeling software and devices could similarly enable customers to make more secure choices.

Chris Inglis, who worked on the strategy during his tenure as Biden’s national cyber director, told Bloomberg News during his final days in the post last month that Congress “gets a vote” on the plan.

“We will continue to work with the Congress to determine what they want to do, what they’re willing to do, but we need to use executive authorities as well,” he said. “The regulatory framework that I think will emerge has to benefit from a high degree of consultation and the lightest possible touch and some degree of harmonization, so we don’t actually exercise some duplication of effort which wastes time in one or more corners.”

--With assistance from Emily Birnbaum.

(Updates with a comment from Google and additional comments from Anne Neuberger.)