The National Cybersecurity Strategy released yesterday by the Biden-Harris Administration focuses largely on the shift of responsibility for cybersecurity away from individuals and small businesses to large tech organizations such as Jamf, which specializes in Apple Enterprise Management.
Jamf Chief Information Security Office Aaron Kiemele, applauds the Biden-Harris Administration’s efforts to increase accountability for companies like his, but notes that the evolving threat landscape will make proving negligence and liability for breaches and security incidents difficult.
He notes that “All software is vulnerable in some way to future exploitation…You can do everything right and still be impacted by a security incident.” Kiemele also suspects much of the reform outlined in the strategy is in an effort to enhance trade abilities in Europe…which starts with strengthening regulatory infrastructure.
He says that the idea of taking NIST standards and suggesting companies out of compliance are negligent and liable for privacy breaches is interesting. The devil will be in the details, but a GDPR-like liability regime tied to a real, pragmatic set of baseline control expectations will be a welcome change, he adds.
The National Security Strategy provides a road map for how the Biden administration aims to defend the U.S. from a rapidly growing number of online threats.
A key element of the new framework involves shifting the burden of cybersecurity from individuals, small businesses and local governments and putting responsibility in the hands of software developers and other institutions with the requisite resources and expertise.
“The president’s strategy fundamentally reimagines America’s cyber social contract,” Acting National Cyber Director Kemba Walden said during a press briefing on Wednesday. “It will rebalance the responsibility for managing cyber risk onto those who are most able to bear it. The biggest, most capable and best-positioned actors in our digital ecosystem can and should shoulder a greater share of the burden for managing cyber risk and keeping us all safe.”
She said that laying responsibility on individuals and groups who lack the resources to protect themselves is both “unfair” and “ineffective.”
As reported by CNBC, the White House is proposing that legislation establish liability for software makers which fail to take reasonable precautions to secure their products and services. The administration said in its draft report that it would work with Congress and the private sector to develop the language of such a bill, which would include “an adaptable safe harbor framework” to protect companies that “securely develop and maintain their software products and services.”
Jamf’s Kiemele also had this to say about the National Security Strategy: Liability for flaws exposed in software is more dangerous. That will be a fine line to draw. All software is vulnerable in some way to future exploitation. If a new issue arises and causes widespread impact, that doesn’t mean that the software vendor was negligent. You can do everything right and still be impacted by a security incident. That being said, there are plenty of old vulnerabilities that remain unpatched for years. As well as companies that are truly not prioritizing security and privacy. How to take the outcome (often a poor indicator of the underlying security capabilities of the company) and drive reform without this becoming a punitive punishment for a security environment that cannot reasonably be predicted is going to be tricky.
It seems some of this is an effort to align our practices with Europe so we can trade there without restriction. Currently our regulatory infrastructure is considered too weak to support unfettered data transport to the US, which means companies need to put their own controls in place to confirm their compliance with EU privacy laws.
The most interesting piece for me continues to be that this sounds like a good faith effort to impose appropriate liability on software companies who are not currently doing the right thing to protect their data and their customers. We talk a lot about the cost of breaches but unless you get into the news cycle, the cost of a breach can be relatively small. Certainly for non-critical failures the risk to the business can be negligible. It will be nice to be held to account more fully knowing that we will be rewarded for our good practices while others in the industry will be required to do the bare minimum to secure the digital ecosystem.
