The White House published the National Cybersecurity Strategy on Thursday and it understandably received a lot of attention. I think it’s an excellent document and very well thought out (I especially liked the statement that the government will “promote the further development of SBOMs”). However, there’s one section I find to be…well, let’s say I find it lacking in sound reasoning. That’s the one on pages 24 and 25 entitled “Strategic Objective 3.3: Shift Liability for Insecure Software Products and Services”. The contents of this section were essentially given a road tryout by Jen Easterly, Director of CISA, in a speech at Carnegie-Mellon University on Monday; the speech was reported on in this article in the Washington Post on Wednesday.
To be honest, I don’t even object
to all the language in this section. For example, I completely agree that
software suppliers should not be able to disclaim all liability for defects in
those 100-page “contracts” that nobody reads but everybody has to sign, if they
want to use software at all.
However, what I do object to is the
implication in that section (as well as in Ms. Easterly’s comments on Monday)
that when there’s a cyber breach, the default assumption will always be that it’s
the software developer’s fault. This is because many developers “ignore best
practices for secure development”, “ship products with…known vulnerabilities”,
or “integrate third-party software of unvetted or unknown provenance”.
The best articulation of this
attitude is found in this WaPo article
published after the strategy was released, which says a senior administration
official (who of course needs to remain anonymous, since otherwise they’ll be
punished for telling the truth) “told reporters Wednesday that the proposal
would be to place liability ‘where it would do the most good,’ primarily ‘the
company that is building and selling the software.’”
Let me rephrase this to make
clearer the meaning of this remarkable statement: "We’re not concerned with
determining where to place liability in the sense of 'Whose fault is this?';
that’s so 20th Century. Instead, what we’re really concerned with is
‘Who will be most susceptible to being pressured to take the fall for the
breach, since we’ve already said up front that they’re the culprits?’" I commend
this candor, although it would have been even better if the official had
identified his or herself.
Of course, I certainly don’t deny
that there are developers who violate best practices. But it surprised me that,
given that whoever wrote this section of the strategy was clearly quite
concerned about assigning liability for future cyber breaches, there was no mention
of other entities that might share liability. First and foremost, how about users
that aren’t applying patches, configuring their firewalls properly, or investing
a nickel in training their security staff (which may consist of the president’s
teenage son, who comes over when he’s done with soccer practice)?
But let’s not stop there. There
was also no mention of cloud providers who make their customers be responsible
for their own security, even though many of them clearly don’t understand how
security works in the cloud (here’s Exhibit
A in that regard). Or of cloud providers who gladly
allow new, untested companies to sell access to apps on their cloud without
paying too much attention to pesky little questions like...you know...do these
guys, who were peddling mortgages a year ago, have the slightest idea how to do
this securely?
Finally, there was no mention of a
national government (I won’t tell you which national government I’m
talking about, but it’s not Estonia’s) that invested huge amounts in Project
Einstein, the 21st Century version of the Maginot Line. Project
Einstein was designed to secure the US from foreign cyberattacks. And to that government’s
credit, it succeeded in protecting the US from Russian cyberattacks about as
effectively as the Maginot Line protected France from the German armies in 1940
– that is, not at all.
Undeterred by press releases, the
Russians bypassed Project Einstein by setting up all the servers they needed to
carry out their tremendously well-executed attack
on SolarWinds at US-based cloud providers, all completely within the
borders of the good old US of A! At least the French can use the Maginot Line fortifications
as a tourist attraction today, which is more than we can say for Project
Einstein.
I could go on, but you get the
idea: The liability for almost any cyber breach can be traced to thousands of clueless
individuals in all walks of life. If you wanted to assign liability properly,
you’d have to trace down all these individuals and spend a year or two
figuring out exactly how much of the bill each of those parties is responsible
for. Then, you’d have to get each of them to pay their fair share.
But it’s so much easier if you
just say the software developer is responsible. That way, you can be home in
time for dinner with the family.
Any opinions expressed in this
blog post are strictly mine and are not necessarily shared by any of the
clients of Tom Alrich LLC. If you would
like to comment on what you have read here, I would love to hear from you.
Please email me at tom@tomalrich.com.
No comments:
Post a Comment