Higher Stakes for Software Liability Are Coming

In March, the White House released the National Cybersecurity Strategy -- the first update since 2018-- taking current cyber threats into account. Industries must now navigate higher standards of liability for vulnerabilities or security flaws within their products during a time when cybercrime continues to evolve and increase.

Shift in Liability

Currently, contracts offer a haven for software companies to limit the liability they will face -- or completely evade liability -- in the case of a cyberattack. As a result, software providers are not incentivized to develop secure applications without vulnerabilities. But the new strategy offers a plan for change. It outlines steps the federal government will take to develop regulations that will establish liability for software products and services. The strategy also calls for partnership among the government, Congress, and the private sector. Furthermore, it recommends “higher standards of care for software in high-risk scenarios”.

The full impact of this shift in strategy is still unrealized, but the tech industry should begin preparations. Several years ago, the Financial Stability Board warned that dependence on a widely used third-party service provider for critical services could create a single point of failure that could topple financial stability. Software vendors in critical infrastructure industries -- including financial services -- need to begin closely scrutinizing their products’ cybersecurity to ensure preparedness for potential new regulations.

The new strategy signals the federal government is getting serious about cybersecurity and the potential national security implications of a breach. It appears the strategy is trying to discourage vendors from creating products that are just “secure enough” and to analyze their posture with potential ramifications in place. Under the outlined rule change, evading lawsuits will not be possible.

Exceptions to the Rule

Cybercriminals continue to evolve their tactics, and software deemed secure one day can be exploited the next. As a result, the strategy recommends the creation of a safe framework to protect companies that securely develop and maintain their software. This can ensure companies are not liable when a threat actor still targets systems, even when generally accepted best practices are used, such as the NIST Secure Software Development Framework or Secure by Default principles released by the Cybersecurity and Infrastructure Security Agency (CISA).

This move proves that the federal government is seeking increased effort to develop secure software. Companies that uphold generally accepted best practices will not need to worry about the shift in liability as long as they maintain their software with the same level of integrity. But software vendors that service critical infrastructure sectors and do not currently adhere to best practices must take steps today.

Steps for Secure Software

The National Cyber strategy highlights the NIST Secure Software Development Framework (SSDF) as a widely accepted best practice guide for developing safe software. The framework provides recommended practices across four groups to guide secure software development. Furthermore, the CISA worked in collaboration with the National Security Agency, Federal Bureau of Investigation and international partners to develop the Principles and Approaches for Security-by-Design and -Default.

One main point in both guidance’s that some companies may overlook is the role of third-party vendors. It is not enough to define security developments for software; businesses must also communicate these requirements to all third-party software providers. Furthermore, the SSDF outlines that companies must continuously verify third-party software for regular security maintenance. This requires businesses to work closely with third-party vendors to ensure the ongoing integrity of system security.

Cybersecurity certifications such as system and organization controls (SOC) can help companies evaluate the cybersecurity posture of third-party vendors. Simple vendor questionnaires at the beginning of an engagement are not enough; businesses must consistently monitor their vendor’s cyber posture, and software providers should expect the same from users.

Cybersecurity teams at tech companies should closely examine the NIST SSDF as well as the CISA Secure by default principles and cross-check the guidelines with their current practices. Identify which areas the company excels in and which areas may need improvement. Then create an actionable plan with timelines, roles, responsibilities, and resource allocation to improve any areas that do not meet current requirements. This may often require C-suite buy in, but by highlighting the potential ramifications and associated liability highlighted in the national cybersecurity framework, cyber teams should be able to gain the necessary buy-in.

Higher Stakes

The national cyber strategy outlines a plan that prevents software companies from hiding from liability behind carefully drafted contracts. Only time will tell what the national cybersecurity strategy will look like in practice and the safeguards implemented, but it is never too early to begin taking the necessary steps. Software providers should closely analyze their current posture and those of any third-party software providers they use to deliver products to customers. The time to act is now.