.png)
But-for a major shift in responsibility and desire for private sector liability, the March 2023 National Cybersecurity Strategy reiterates much of the same mantra as previous policy papers issued by the U.S. Govt. in response to the growing crisis surrounding cybersecurity.
Historically, the U.S. govt asked private industry to voluntarily report cyber intrusions and issue timely updates to fix vulnerabilities. The U.S. Govt. also focused on self-assurance, independent of the role played by commercial products in any network’s cybersecurity.
Now, with the new National Cybersecurity Policy, the U.S. Govt. appears to issue advanced warning that the previous “requests” may become “mandates.” However, with a Constitutionally secured right to property, the U.S. Govt. is limited in what it can force private industry to do, especially with reliance on so many products manufactured overseas.
Therefore, the new National Cybersecurity Policy promises liability for commercial manufacturers and professional services vendors in the software and networking space. If realized into legislation, certain “Strategic Objectives” will force private companies to implement cybersecurity measures, rather than it being a voluntary act or face litigation.
For example, in Pillar three, “Shape market forces to drive security and resilience,” the policy demands a shaping of market forces "to place responsibility on those within our digital ecosystem that are best positioned to reduce risk.” Entitled “Hold the stewards of our data accountable,” Strategic Objective 3.1 announces that President Biden “supports legislative efforts to impose robust, clear limits on the ability to collect…and provide strong protections for sensitive data[.]”
Again, in Strategic Objection 3.2, strongly labeled as “Shift Liability for Insecure Software Products and Services,” the current administration pledges to “work with Congress and the private sector to develop legislation establishing liability for software products and services…prevent[ing] manufacturers and software publisher with market power from fully disclaiming liability by contract and establish higher standards of care for software in specific high-risk scenarios.”
This Policy is consistent with the March 6, 2023, Transportation Security Administration announcement of regulations aimed at holding the aviation industry liable for cybersecurity faults. TSA-regulated entities must now proactively assess the effectiveness of these measures within their own networks:
1. Develop network segmentation policies and controls to ensure that operational technology systems can continue to safely operate in the event that an information technology system has been compromised, and vice versa;
2. Create access control measures to secure and prevent unauthorized access to critical cyber systems;
3. Implement continuous monitoring and detection policies and procedures to defend against, detect, and respond to cybersecurity threats and anomalies that affect critical cyber system operations; and
4. Reduce the risk of exploitation of unpatched system through the application of security patches and updates for operating systems, applications, drivers and firmware on critical cyber systems in a timely manner using a rick-based methodology.
While TSA acknowledges that software vendors must have the freedom to innovate, they also must be held liable when they fail to live up to the duty of care they owe consumers, businesses, or critical infrastructure providers. Companies that deviate from these standards would presumably be exposed to legal liability, creating an incentive for companies to meet certain minimum-security thresholds and improve the quality of their code and products.
With these announcements, private technology companies are wise to review their current contractual obligations to ensure the most advantageous balance of liability is instituted before laws change. Fair or not, the U.S. Govt. is seeking to hold technology vendors responsible for cyber assurance for their clientele.