BSA-The Software Alliance is eager to engage with the Office of the National Cyber Director on establishing liability protections for software products and services, a key element of the national cyber strategy that is expected to be a multi-year effort to reach an agreement among federal officials, industry and lawmakers.
“Right now, people are thinking about what are the best ways to improve software security, which is our top priority, and so really the question is what are the best ways to do that,” BSA’s Henry Young told Inside Cybersecurity.
Young said, “The national cyber strategy suggests a couple of ways but in our conversations with ONCD, it has been clear they are open to undertaking any action that would improve cybersecurity so as we come up with ideas, we are in constant communication about potential ways forward.”
Section 3.3 of the strategy proposes shifting the liability for “insecure” software products and services to “prevent manufacturers and software publishers with market power from fully disclaiming liability by contract, and establish higher standards of care for software in specific high-risk scenarios.”
The national cyber strategy says the Biden administration will drive development of an “adaptable safe harbor framework to shield from liability companies that securely develop and maintain their software products and services.”
Young says BSA will “continue to have conversations about Section 3.3 over the coming years. One of the things we find very heartening is ONCD is really open to any path that achieves our shared goal of improving software security, and that is really ripe because we are going to learn new things as we work together.”
Acting National Cyber Director Kemba Walden has indicated that she expects the liability protections effort to be a “multistakeholder, multi-year exercise” and Congress will need to be involved.
The ONCD’s approach “seems like an opportunity” to come together recognizing that there’s a “shared destination,” Young said. He added, “The real question is what is the most effective way to get there and I don’t think we know the answer to that yet.”
Young said, “At some point, there will be more formal conversations. In places, the strategy calls for congressional action which means we really need industry, the administration and Congress to all come together and work toward that shared goal of cybersecurity. But there’s going to be more opinions on the most effective way to achieve that.”
“As Kemba mentioned, that’s going to take some time. You can’t do it in a day or a week but you can do that over a period of time and then appreciate the investments,” Young said.
BSA held an event last month with ONCD and Office of Management and Budget officials to launch the discussion on liability, safe harbor and other components of the strategy’s third pillar.
Young is director for policy at BSA. He spoke with Inside Cybersecurity following the release of CISA’s set of security principles for security-by-design and -default. The principles are a multi-seal product issued jointly with the National Security Agency, FBI and international partners.
Young said, “It’s pretty clear that CISA wants to push software developers who are not taking cybersecurity seriously to increase their investments in cybersecurity and really improve their game. In general, improving software security is a top priority for us and we see this as an opportunity to make the marketplace one that rewards companies that take security seriously.”
There should be a marketplace rewarding companies for using secure development practices, Young said, pointing to using the BSA Framework for Secure Software and the NIST Secure Software Development Framework as places to start.
Young said, “Nothing is perfect especially when advanced persistent threats and malicious nation state actors are pretty interested in investing to find vulnerabilities and exploit them. But this is the right way forward to use these industry best practices and guidelines from NIST to show companies are doing the right things.”
“For the enterprise technology sector,” Young said, “frankly customers demand strong cybersecurity. It is a demand the market produces. Most of our members have spent years investing in security but want to continue to make it better. As malicious actors continue to evolve, security is going to have to evolve also.”
CISA’s principles are “another step in driving improved software security,” Young said. “Improved software security is a top priority for us so the best ways we can do that are using industry best practices and internationally recognized standards. It is a way to demonstrate these companies are really serious about cybersecurity, as challenging as it is and as frustrating as it can be at times, no one is laying down. Everyone is trying figure out how to continue to do it better.”
CISA is planning engagement opportunities to gather feedback from stakeholders on the principles.
Young said, “Laws and policies are best when developed in collaboration between governments and industry. To me that means this is an opportunity to build on their work. CISA has shown an openness to engaging and so in good faith we will continue to engage.”
He added, “The real opportunity for improvement is to most effectively manage risk because any security practice you take comes at the opportunity cost of taking a different security practice. And so when we are thinking about how to engage, we want to make sure there is enough flexibility in any guidance that allows the software developer to understand its own contexts, the threats it faces and then take the security steps that are best tailored to actually provide the strongest security result.” -- Sara Friedman (sfriedman@iwpnews.com)