Shostack + Friends Blog


The National CyberSecurity Strategy: Liability is Coming

After months of signals, the new US National CyberSecurity Strategy is out, and I can stop beating around the bush and be explicit:

Liability is coming.

There’s lots more in the Strategy. Bruce Schneier has a good roundup of first responses. I didn’t to try to provide a hot take on it, because I think others did a fine job. (I will say that I’m thrilled to see lesson-learning and assessing effectiveness in the implementation section.)

Liability is going to be a big shift, and it will have undesirable consequences. Let me start by quoting a summary from Jim Dempsey:

We must begin, the administration says, to shift liability onto those who should be taking reasonable precautions to secure their software. This will require three elements, according to the strategy: preventing manufacturers and service providers from disclaiming liability by contract, establishing a standard of care, and providing a safe harbor to shield from liability those companies that do take reasonable measurable measures to secure their products and services. Together, the three points are based on a recognition that the goal is not perfect security but, rather, reasonable security. (Lawfare)

The first of these, eliminating the “as is” and “no warranty” from commercial software sales, seems like a no-brainer unless you sell software, in which case, it’s the end of the world. Expect a chorus of doom, with arguments much like the ones Andy Ellis makes here. This post is long enough, so I may come back to Andy’s list in a different post.

The second of these, a standard of care, is simply not that hard — if you’re a lawyer. NIST’s SSDF, FDA’s Pre-market Guidance, and FTC’s Start With Security are all out there today to establish minimum standards. If you’re doing nothing, you need to start doing something. If you’re doing something, you should assess if it’s generally in line with those. Standards like OWASP’s OpenSAMM provide a measurable tool for assessing how you’re doing. Yes, there’s nuance, but:

The third point is a safe harbor. A lot of the action will be around defining who gets to be in that safe zone. There’s a spectrum of possible answers. Will big tech companies with billions in annual profit be able to join and remain? Companies that ship new code in languges without memory safety? Those without bug bounties or safe harbors for reporing security issues? We can expect a bruising fight over where the safe harbor starts, and how it ratchets over time.

I believe the White House position is that breaches continue, critical infrastructure is at risk and adversaries run essentially unchecked, “nothing” is no longer a viable national strategy, so let’s explore liability. Many of the critiques conflate liability with ‘new regulation.’ Liability is not new regulation, it’s consequences for failing to avoid forseeable consequences of your choices that harm others. I think the interesting thing about liability is that, along with attestation, it’s a response to industry’s unyeilding anti-regulation position. (Attestation is in OMB-M-22-18, which I discussed in my January The Appsec Landscape in 2023).

Getting your software and operations processes up to speed is not a quick adjustment like rolling out Zero-Trust. 😉 It requires both technical changes and culture changes, and the culture changes will take a while. It’s time to get started.

What this means for you is that “nothing” is no longer a good enough engineering strategy. If your response to the National Strategy is to take a “wait and see” approach, lawyers are probably going to have a field day with a big stamp that says “negligent.” And there’s going to be plenty of work for expert witnesses in sorting out the meaning of reasonable, which is expensive and leads to a lot of uncertainty.

My estimate that this will take “a while” comes both from my time at Microsoft, where, after the Trustworthy Computing memo, we took years to codify our SDL, evolve it, and get to a point of excellence, and also from my more recent experience with the Shostack + Associates coaching service, where we help organizations through a similar journey. That journey is faster when someone else has made many mistakes that are obvious in retrospect, but even that doesn’t mean that changing the way an organization works is easy or fast.

Liability is coming. The sooner you start working through what that means, the happier you’ll be.

Image: A random “Winter is coming” image from Game of Thrones.