Policy Explainer

A Shifting Liability Landscape

As things stand now, when a company falls victim to a cyberattack, it is held liable for that incident. Vendors and manufacturers are able to push out products riddled with vulnerabilities without fear of significant repercussions, should one of its clients fall victim to a cyberattack because of those vulnerabilities.

CISA and the White House want to change this structure of liability. CISA Director Jen Easterly outlined CISA’s view on this issue of “dangerous-by-design” technology products in a speech at Carnegie Mellon University, saying that it is time for a “fundamental shift” to “value safety over other market incentives like cost, features, and speed to market.”

Easterly compared the technology market today to cars in a familiar metaphor, noting that “for the first half of the 20th Century, conventional wisdom held that car accidents were solely the fault of bad drivers.” Similarly, in the technology field, “we seem to be misplacing the responsibility for security and compounding it with a lack of accountability.” Just like we can now trust that cars on the road have been manufactured with a variety of standard safety features, we should be able to trust in the “safety and integrity” of our technology products, argues Easterly.

Her speech then clarified three core principles to guide technology manufacturers:

  1. The burden of safety should not fall solely upon the customer. Technology manufacturers must take ownership of security outcomes of their customers
  2. Technology manufacturers should embrace radical transparency and commit to accountability for the products they bring to the market
  3. Leaders of technology manufacturers should explicitly focus on building safe products

While some might look at Easterly’s speech as an aspirational roadmap for an agency with very few regulatory teeth, the recently released National Cyber Strategy (NCS) out of the White House echoes CISA’s plan.

The Biden Administration’s long awaited NCS details five key pillars to guide policy decisions coming out of the Executive Branch going forward. These five pillars all aim to rebalance the responsibility of defending cyberspace and realigning incentives to favor long-term investments.

The most relevant parts of the NCS for the private sector are around the White House’s goal of shifting liability for cybersecurity from end users to those creating the systems. Labeled “Pillar Three” of the strategy, the plan outlines how the federal government will use its purchasing power to reshape the market to “place responsibility to those best positioned to reduce risk” while “shifting the consequences of poor cybersecurity away from the most vulnerable.” 

One way the federal government will do this is by holding data stewards accountable in “supporting legislative efforts to impose robust, clear limits on the ability to collect, use, transfer, and maintain personal data and provide strong protections for sensitive data like geolocation and health information.” Another objective is to shift liability for insecure software products/services onto entities that fail to take reasonable precautions to secure their software. The Administration will work toward this goal alongside Congress with input from the private sector that will establish liability for software products and services. 

Additionally, the government will also begin exploring a federal cyber insurance backstop program. This idea entered the general conversation last fall when an exploratory committee was commissioned by the Department of the Treasury to determine what a federal cyber insurance program would look like and was furthered last month when Senator Hickenlooper introduced a bill to look into the idea. The NCS naming the exploration of this kind of program further cements the government’s recognition that cyber insurance might be necessary to ensure the resilience of the private sector in the digital age.

The other relevant pillar for the private sector is Pillar One which states that cybersecurity regulations for critical infrastructure businesses will no longer be established under an opt-in, voluntary system. Instead, new and updated mandatory regulations will be tailored to each sector’s risk profile, harmonized to reduce duplication, complementary to public-private collaboration, and cognizant of costs of implementation.

These changes all confirm something many agencies have been hinting at for months– the liability landscape for cyber incidents needs to change. The NCS prioritizes this liability shifting to technology producers, emphasizing the importance of security-by-design products, and the federal government which will be responsible for setting up a mandatory regulatory landscape that provides an adequate baseline for private sector critical infrastructure businesses to rely on.