The Office of the National Cyber Director is looking into two approaches to address liability and create a safe harbor as part of its work to implement the national cyber strategy, according to a senior official.
First, the government could choose to allow “secure development practices” crafted by industry and NIST to determine a safe harbor, ONCD’s Nick Leiserson said at a Wednesday event hosted by BSA-The Software Alliance.
Leiserson said this option would allow an entity to say they are “using these kinds of practices and can demonstrate” that they are part of their software development to “disclaim liability” and avoid getting sued.
Another example is a proposal from the Cyberspace Solarium Commission to shift the responsibility for “known vulnerabilities” from consumers to those who are producing software, Leiserson said.
He said those who are “closest to the code” and make decisions on whether a vulnerability isn’t going to be exploited would be held liable.
“It’s probably best that you make that risk assessment rather than having a third party come in and do it. But if you decide that ‘Hey we know there is a bug here’ and you are going to ship with it,” Leiserson told event attendees, then “you also have some skin in the game so if someone comes along and exploits it, then you can’t disclaim liability” by making argument that it was more risk than expected.
Leiserson is assistant national cyber director for policy and programs. He was previously a longtime staffer for former Rep. Jim Langevin (D-RI), a member of Solarium Commission, who retired at the end of the 117th Congress.
Leiserson said the ONCD is open to hearing from stakeholders on liability and safe harbor, emphasizing how the section in the national cyber strategy doesn’t spell out the final approach.
The BSA event on Wednesday focused on pillar three of the national cyber strategy. Leiserson participated in a panel with Mitch Herckis, director of federal cybersecurity at the Office of the Federal CIO and moderator Henry Young of BSA.
BSA’s Craig Albright moderated a high-level discussion on the strategy with Anjana Rajan, assistant national cyber director for technology security.
When it comes to implementation, Leiserson said the ONCD has two tracks – one focused on monitoring everything in it and another on specific tasks for the ONCD.
As a whole, Leiserson said they will be “very thoughtful and deliberate,” emphasizing how the plan will not be a “static” document. “Our priorities will evolve over time as we meet preconditions that are necessary to actually achieve some of the strategic goals,” Leiserson said.
Leiserson said the implementation plan will provide direction so stakeholders can know who to contact when it comes to the taskings in the strategy. The ONCD plans to make the plan public but doesn’t have a firm timeline for release.
The ONCD is particularly interested in regulatory harmonization, Leiserson said, and “to change the conversation” to also include reciprocity. Part of this work involves discussions with international partners, Leiserson said, pointing specifically to the European Union’s Cyber Resilience Act and the General Data Protection Regulation as starting opportunities.
However, Leiserson said it’s important for the U.S. to get “its house in order” first and have a model that is informed by industry to make implementation easy. Leiserson said it’s possible to have “lower compliance costs while getting better security outcomes” and that’s “what we should be driving toward.”
The ONCD is holding “framing conversations” with industry asking for information on “three baseline questions,” according to Leiserson.
First, Leiserson said he wants to know what the baseline should be for critical infrastructure. Second is how to design a reciprocity regime with a baseline that multiple regulators would be willing to adopt.
And third, Leiserson said, is to determine how to “actually practically” implement it and what would be needed to create such a regime.
For federal procurement, Herckis said we need to “coalesce agencies” to purchase secure software the right way and “send signals to the marketplace” on what secure-by-design looks for the government.
Herckis said the goal is to reduce risk and “ensure we are putting the marketplace in such a way that we are not getting inferior product…or we are not allowing for the software delivery that is needed so the American people have the services they expect delivered by the federal government.”
Beyond procurement, Herckis said there is a focus on standardizing cyber requirements for federal grant programs. -- Sara Friedman (sfriedman@iwpnews.com)