The Biden administration is set to release an aggressive new national cybersecurity strategy on Thursday that seeks to shift the blame from companies that get hacked to software manufacturers and device makers, putting it on a potential collision course with big technology companies.
The 35-page strategy, shared in advance with a group of reporters, asserts that software makers must be “held liable when they fail to live up to the duty of care they owe consumers, businesses or critical infrastructure providers.”
“Responsibility must be placed on the stakeholders most capable of taking action to prevent bad outcomes, not on the end-users that often bear the consequences of insecure software nor on the open-source developer of a component that is integrated into a commercial product,” according to the document.
The new strategy commits the administration to work with Congress and the private sector “to develop legislation establishing liability for software products and services.”
A top Google official, for one, said his company welcomed the Biden administration plan.
Senior US officials have publicly complained that technology companies, including
Such an ambitious effort comes despite the failure of the Biden administration to advance legislation in its first two years to rein in the power of the biggest tech companies including
The White House endorsed such moves although critics said it didn’t push the Democratic Senate Majority Leader
A senior administration official, who spoke on condition of anonymity to brief reporters, conceded shifting liability for cybersecurity breaches to software companies would require legislative action and was part of a long-term process that could take as long as a decade. The official added that the administration didn’t expect to see a new law on the books within the next year.
The next presidential election is less than two years away, raising the question of whether the administration can even come close to delivering the most ambitious goal of its new strategy to protect Americans from hackers.
The senior official later told Bloomberg News that the administration would seek to capitalize on bipartisan support for greater cybersecurity. However, short of legislative action, customers could bring civil claims against software and device manufacturers in a bid to improve security standards and shape market forces, an approach the administration endorses, the official said.
The official said there was room for collaboration with the software industry rather than confrontation. In addition, the administration hopes that its plan will force companies to do better in securing its software to win customers in a competitive marketplace, the official said.
The administration’s strategy also promises a stronger stance against ransomware, in which criminals encrypt a victim’s files until an extortion fee is paid. (Many attackers now steal files, too, and threaten to post them publicly unless paid).
In increasingly aggressive approach to disrupting such groups, the Justice Department last year closed down crypto exchanges used by ransomware criminals through the use of sanctions and the FBI earlier this year took down the Hive ransomware group by seizing control of servers and websites used by its members in coordination with German and Dutch officials.
The strategy will also seek to expand minimum cybersecurity requirements for critical infrastructure sectors without additional legislation, likely to be one of its most achievable aims.
She added that the administration had already put in place minimum cybersecurity requirements for pipelines and railways and would announce them for additional industries, though she did not say which ones.
Neuberger said the US government can use purchases to shape a market. As a New Yorker, she said she appreciates restaurant hygiene ratings that are included entrance doors, and that labeling software and devices could similarly enable customers to make more secure choices.
“We will continue to work with the Congress to determine what they want to do, what they’re willing to do, but we need to use executive authorities as well,” he said. “The regulatory framework that I think will emerge has to benefit from a high degree of consultation and the lightest possible touch and some degree of harmonization, so we don’t actually exercise some duplication of effort which wastes time in one or more corners.”
(Updates with a comment from Google and additional comments from Anne Neuberger.)
--With assistance from
To contact the reporters on this story:
To contact the editors responsible for this story:
© 2023 Bloomberg L.P. All rights reserved. Used with permission.