The White House published the National Cybersecurity Strategy on Thursday and it understandably received a lot of attention. I think it’s an excellent document and very well thought out (I especially liked the statement that the government will “promote the further development of SBOMs”). However, there’s one section I find to be…well, let’s say I find it lacking in sound reasoning. That’s the one on pages 24 and 25 entitled “Strategic Objective 3.3: Shift Liability for Insecure Software Products and Services”. The contents of this section were essentially given a road tryout by Jen Easterly, Director of CISA, in a speech at Carnegie-Mellon University on Monday; the speech was reported on in this article in the Washington Post on Wednesday.
To be honest, I don’t even object to all the language in this section. For example, I completely agree that software suppliers should not be able to disclaim all liability for defects in those 100-page “contracts” that nobody reads but everybody has to sign, if they want to use software at all.
However, what I do object to is the implication in that section (as well as in Ms. Easterly’s comments on Monday) that when there’s a cyber breach, the default assumption will always be that it’s the software developer’s fault. This is because many developers “ignore best practices for secure development”, “ship products with…known vulnerabilities”, or “integrate third-party software of unvetted or unknown provenance”.
The best articulation of this attitude is found in this WaPo article published after the strategy was released, which says a senior administration official (who of course needs to remain anonymous, since otherwise they’ll be punished for telling the truth) “told reporters Wednesday that the proposal would be to place liability ‘where it would do the most good,’ primarily ‘the company that is building and selling the software.’”
Let me rephrase this to make clearer the meaning of this remarkable statement: "We’re not concerned with determining where to place liability in the sense of 'Whose fault is this?'; that’s so 20th Century. Instead, what we’re really concerned with is ‘Who will be most susceptible to being pressured to take the fall for the breach, since we’ve already said up front that they’re the culprits?’" I commend this candor, although it would have been even better if the official had identified his or herself.
Of course, I certainly don’t deny that there are developers who violate best practices. But it surprised me that, given that whoever wrote this section of the strategy was clearly quite concerned about assigning liability for future cyber breaches, there was no mention of other entities that might share liability. First and foremost, how about users that aren’t applying patches, configuring their firewalls properly, or investing a nickel in training their security staff (which may consist of the president’s teenage son, who comes over when he’s done with soccer practice)?
But let’s not stop there. There was also no mention of cloud providers who make their customers be responsible for their own security, even though many of them clearly don’t understand how security works in the cloud (here’s Exhibit A in that regard). Or of cloud providers who gladly allow new, untested companies to sell access to apps on their cloud without paying too much attention to pesky little questions like...you know...do these guys, who were peddling mortgages a year ago, have the slightest idea how to do this securely?
Finally, there was no mention of a national government (I won’t tell you which national government I’m talking about, but it’s not Estonia’s) that invested huge amounts in Project Einstein, the 21st Century version of the Maginot Line. Project Einstein was designed to secure the US from foreign cyberattacks. And to that government’s credit, it succeeded in protecting the US from Russian cyberattacks about as effectively as the Maginot Line protected France from the German armies in 1940 – that is, not at all.
Undeterred by press releases, the Russians bypassed Project Einstein by setting up all the servers they needed to carry out their tremendously well-executed attack on SolarWinds at US-based cloud providers, all completely within the borders of the good old US of A! At least the French can use the Maginot Line fortifications as a tourist attraction today, which is more than we can say for Project Einstein.
I could go on, but you get the idea: The liability for almost any cyber breach can be traced to thousands of clueless individuals in all walks of life. If you wanted to assign liability properly, you’d have to trace down all these individuals and spend a year or two figuring out exactly how much of the bill each of those parties is responsible for. Then, you’d have to get each of them to pay their fair share.
But it’s so much easier if you just say the software developer is responsible. That way, you can be home in time for dinner with the family.
Any opinions expressed in this blog post are strictly mine and are not necessarily shared by any of the clients of Tom Alrich LLC. If you would like to comment on what you have read here, I would love to hear from you. Please email me at firstname.lastname@example.org.