US National Cyber Strategy allays fears over liability for open source vulnerabilities

The White House pictured in front of a sunset
(Image credit: Shutterstock)

Open source developers will not be held responsible for software vulnerabilities used in commercial environments under new cyber security plans outlined by the US government.

Amanda Brock, CEO at OpenUK, told IT Pro the Biden administration’s decision to omit open source developers from potential penalties for flaws in software products sets a strong message for the global open source community.

“We applaud the clear statement from The White House that open source developers will not be responsible for any commercial usage of their software, despite a bold and clear shift in liability to commercial entities distributing software on a commercial basis,” she said.

“Responsibility must be placed on the stakeholders most capable of taking action to prevent bad outcomes, not on the open-source developer of a component that is integrated into a commercial product.”

Brock’s comments follow the recent announcement of the US National Cyber Strategy, unveiled on Thursday.

The long-awaited strategy set out ambitious plans to bolster national security capabilities, including the creation of minimum security standards for critical infrastructure companies and holding software vendors liable for product flaws.

Under the plans, the Biden administration plans to place responsibility for cyber attacks in the hands of software developers and security vendors. Officials said the move will ensure that providers will “shoulder a greater share of the burden” for managing cyber risk.

“The president’s strategy fundamentally reimagines America’s cyber social contract,” said acting national cyber director Kemba Walden.

“It will rebalance the responsibility for managing cyber risk onto those who are most able to bear it,” she added.

This approach follows a long-running discussion over liability of cyber attacks in recent years.

Traditionally, organisations that have experienced security breaches have typically bore responsibility for an incident, despite having potentially fallen prey to threat actors due to software vulnerabilities.

This was an issue highlighted by CISA director Jen Easterly earlier this week in a speech made to students at Carnegie Mellon University.

Easterly bemoaned what she described as “unacceptable” security practices that are rife across the industry. Such practices included the industry-wide acceptance that software vendors ship products with security vulnerabilities and are generally slow to fix them.

RELATED RESOURCE

Leaked today, exploited for life

How social media biometric patterns affect your future

FREE DOWNLOAD

She warned that this common practice was “evidence of our willingness to operate dangerously” and called on the global tech sector to demand higher standards for products used across the industry.

On the back of the National Cyber Strategy announcement, it appears that the US administration is of a similar opinion regarding vendor security practices.

Speaking on Thursday, Kemba said placing blame on individuals or specific organisations was “unfair” and “ineffective”.

She noted that the administration will work with lawmakers in Congress and the private sector to draft legislation aimed at holding software providers liable for security flaws. An exact timeline for this legislation is yet to be confirmed.

A welcomed approach

The National Cyber Strategy has been met with positive reception across the cyber security sector and broader global tech industry.

Aaron Kiemele, CISO at Jamf, told IT Pro that the strategy is a “welcome change” that could signal a more pragmatic approach to cyber risk.

“The idea of taking NIST standards and suggesting companies out of compliance are negligent and liable for privacy breaches is interesting,” he said. “The devil will be in the details, but a GDPR-like liability regime tied to real, pragmatic set of baseline control expectations will be a welcome change.”

However, Kiemele warned that liability for flaws exposed in software could be a “more dangerous” approach for the administration to pursue.

He noted that any proposed legislation will need to “draw a fine line” to ensure responsible practices are maintained without inhibiting providers and imposing punitive punishments.

“If a new issue arises and causes widespread impact, that doesn’t mean that the software vendor was negligent. You can do everything right and still be impacted by a security incident,” he said.

“There are plenty of old vulnerabilities that remain unpatched for years. As well as companies that are truly not prioritising security and privacy,” Kiemele added.

“How to take the outcome (often a poor indicator of the underlying security capabilities of the company) and drive reform without this becoming a punitive punishment for a security environment that cannot reasonably be predicted is going to be tricky.”

Ross Kelly
News and Analysis Editor

Ross Kelly is ITPro's News & Analysis Editor, responsible for leading the brand's news output and in-depth reporting on the latest stories from across the business technology landscape. Ross was previously a Staff Writer, during which time he developed a keen interest in cyber security, business leadership, and emerging technologies.

He graduated from Edinburgh Napier University in 2016 with a BA (Hons) in Journalism, and joined ITPro in 2022 after four years working in technology conference research.

For news pitches, you can contact Ross at ross.kelly@futurenet.com, or on Twitter and LinkedIn.