On March 2, 2023, the Biden Administration released the National Cybersecurity Strategy. Setting the Administration’s comprehensive cybersecurity policy, the Strategy seeks to implement several measures to build a “defensible, resilient digital ecosystem” for the United States and its allies. Notably, many of the Strategy’s objectives impact technology companies—the Strategy seeks to impose liability on technology companies that fail to take “reasonable precautions to secure their software.”
For an overall review of the framework provided by the Strategy, please see our Privacy, Cyber & Data Strategy advisory “White House Releases National Cybersecurity Strategy.”
Immediate Impact on Businesses
The Strategy has no immediate impact on the technology industry, although it clearly signals the Administration’s directive to aggressively regulate software makers’ security practices. The Strategy, by itself, creates no new obligations and has no legal effect. Instead, the Office of the National Cyber Director (ONCD), an executive agency responsible for advising the President on cybersecurity issues, will lead the development of a plan setting out the “Federal lines of effort” necessary to implement the Strategy. Businesses can look to the Strategy as a roadmap for potential legislation and regulation to come, while keeping in mind the actual implementation may substantially differ from what the Strategy outlines.
Notable Issues for Software Companies
The Strategy proposes several cybersecurity measures, but two issues are of particular importance to the technology industry.
National cybersecurity requirements
One of the Strategy’s central objectives is the establishment of national cybersecurity requirements. The Administration identifies imposing security obligations on organizations that hold personal data as one of the “fundamental shifts” required to create a more secure cyberspace. To this end, the Administration specifically calls for federal legislation that will regulate businesses’ ability to collect, maintain, and use personal data. Under the Strategy, the Administration will push such legislation to include national security requirements that conform to the standards and guidelines that the National Institute of Standards and Technology (NIST) has developed.
Imposing liability on technology companies
Under the Strategy, the Administration will also “work with Congress and the private sector to develop legislation establishing liability for software products and services.” From the Administration’s view, the market is incentivizing creation of vulnerable products because the current regulatory landscape lacks strong penalties for technology companies that ignore security best practices. The Strategy calls for federal legislation that imposes liability on businesses that “fail to take reasonable precautions to secure their software.” This likely covers companies that physically distribute software, host their software, or distribute physical products with embedded software.
The Strategy suggests what these reasonable precautions should include. First, companies should implement secure-by-default configuration and remove any known vulnerabilities before their products enter the market. Second, companies should conduct thorough due diligence of any third-party components they integrate into their products or face liability from issues caused by such components. Third, companies should follow industry best practices for secure development, including performance of pre-release testing.
Additionally, the Strategy seeks to limit software makers’ ability to contractually disclaim their security liabilities. The Administration explains that certain technology companies leverage their superior market positions to fully disclaim their security liabilities when contracting with end users, including consumers and small- to medium-sized businesses. Based on this “market position” statement, the Strategy’s aggressive measures appear to mainly target (1) “big tech” companies and other businesses with strong market shares; and (2) makers of consumer-facing software products.
Likely Industry Pushback
We anticipate significant pushback from the industry.
Cybersecurity harms caused by multiple factors
First, it is unclear how the Strategy addresses cybersecurity harms caused by multiple factors from a liability perspective. In today’s environment, it is often hard to find a single point of failure that causes security issues. A user often operates an interconnected system of software products, which may create a security risk only in combination. Threat actors may use vulnerabilities in several different products together for exploitation. Besides due diligence requirements for third-party components, the Strategy does not provide meaningful guidance on how the liabilities will be distributed when there are multiple factors that lead to security failures.
The prevalence of open-source software (OSS) in modern software development will add complexity as technology companies try to meet the diligence requirements in the Strategy. As the Administration recognizes, a single software product often incorporates a number of OSS components, and each OSS is continuously being developed and maintained by multiple contributors. These characteristics of OSS increase the difficulty for technology companies to be certain they have vetted all OSS components integrated into their products. Despite these challenges, the Strategy suggests that technology companies, and not OSS developers, will be responsible for cybersecurity failures arising from the use of OSS.
User-created cybersecurity issues
Second, even if a single point of failure exists, the Strategy does not explain how user-created issues will be weighed. While the Strategy states that technology companies should set default configurations to be secure, it is unclear what types of liability businesses will face when users cause security issues, either intentionally or unintentionally.
It appears the Administration plans to hold technology companies responsible for user errors to a certain degree. For example, the Strategy emphasizes “[a] single person’s momentary lapse in judgment, use of an outdated password, or errant click” should not have significant impact on national cybersecurity. This statement can be concerning for the industry, given that technology companies cannot control all user behavior.
Potential safe harbor program
Businesses may gain more clarity on how the Administration will address these concerns as the ONCD establishes the implementation plan, especially around the safe harbor program proposed in the Strategy. The Strategy acknowledges that no security measures can prevent all vulnerabilities. Accordingly, the Administration is planning to develop an “adaptable safe harbor framework” that takes into account relevant best practices, such as the NIST standards.
Important Open Questions
As the Strategy only provides high-level objectives of the Administration, there are several important open questions.
Interaction with state rules
First, the Strategy does not substantively address how these federal initiatives will interact with existing state laws and regulations. The Strategy’s objectives encompass rulemaking and legislation on both federal and state levels, but it is unclear how the Administration plans to handle potentially conflicting requirements.
From a security standpoint, a number of states already require certain cybersecurity measures for covered businesses, with some jurisdictions maintaining their own safe harbor programs. From a contractual liability standpoint, state contract laws generally govern the enforceability of contracts, including limitations on liability provisions. At the moment, the Strategy makes a general reference to “collaboration” between different authorities but does not specify preemption or other mechanisms to streamline differing jurisdictional rules.
Private right of action
Second, it is unclear whether the Administration seeks to provide a private right of action for the anticipated cybersecurity requirements. The Strategy encourages states and other regulators to use their existing enforcement authorities to further the Strategy’s objectives. But at the moment, the Strategy does not mention a private right of action even though its existence may substantially affect businesses’ exposure.
The Strategy signals the Administration’s willingness to take aggressive cybersecurity measures against big tech and companies processing consumer data. At the moment, however, the Strategy has no impact on the technology industry. An Administration change can also affect the Strategy’s implementation, just as how the Strategy replaces the prior national cybersecurity strategy established by the Trump Administration. We will continue to monitor developments surrounding the Strategy, particularly once the ONCD publishes the implementation plan in the coming months.