White House Cyber Strategy Floats Federal Backstop, Liability for Software Makers

The Biden administration highlighted the potential of a federal cyber insurance backstop as a key objective of its long-awaited national cybersecurity strategy and a push to hold software manufacturers accountable for vulnerabilities in their products.

“The president’s strategy fundamentally reimagines America’s cyber social contract,” Acting National Cyber Director Kemba Walden said during a press briefing this week. “It will rebalance the responsibility for managing cyber risk onto those who are most able to bear it.” 

Walden added, “We ask individuals, small businesses and local governments to shoulder a significant burden for defending us all. This isn’t just unfair; it’s ineffective. The biggest, most capable and best-positioned actors in our digital ecosystem can and should shoulder a greater share of the burden for managing cyber risk and keeping us all safe.”

The 39-page strategy document outlines the administration’s five pillars for improving the nation’s resilience against cyberattacks. These pillars include defending critical infrastructure; disrupting threat actors; increasing accountability for secure products and software; investing more in cybersecurity and “smart” technology at the federal level; and pursuing international partnerships to promote security.

Examination of federal cyber insurance backstop mechanisms falls under the third pillar, with the administration acknowledging the government’s responsibilities after catastrophic events.

“Structuring that response before a catastrophic event occurs—rather than rushing to develop an aid package after the fact—could provide certainty to markets and make the nation more resilient,” stated the administration in the strategy, adding that a backstop could shore up the cyber insurance market’s ability to drive good cyber hygiene practices.

The U.S. Treasury’s Federal Insurance Office is already exploring the feasibility of a cyber backstop. The idea was supported by much of the market, particularly insurance buyers, but framed as “premature” by some.

In addition to calling for the development of more secure Internet of Things devices, the document emphasizes the need to “shift liability onto those entities that fail to take reasonable precautions to secure their software.”

The administration said it would work with Congress and the private sector to prevent manufacturers and software firms from skirting liability by contract as well as establish standards of care for software and products. 

White House officials acknowledged that new liability legislation likely won’t be “on the books within the next year.”

“We see shifting liability as a long-term process,” they said during the press briefing. “When we think about this strategy, we’re looking out a decade. And so, our anticipation is that we will need to begin this process of working with industry to establish what better software development practices look like, work to implement those, work to articulate those, and then work with industry and Congress to establish what some kind of liability shield for the adoption of those practices would look like.”

© 2023 Zywave, Inc. All rights reserved.