Legal Matters

A New Federal Cybersecurity Strategy 

Even though the United States does not currently follow a federal framework for cybersecurity protections, the executive branch is completely stagnant in its efforts to protect U.S. citizens. And although legal penalties are realistically a decade away, the Biden administration recently held intense discussions with software developers. The goal? To craft frameworks that incentivize the private sector to manufacture and release software that lacks exploitable flaws. 

Currently, consumers do not privilege or align their software purchases to developers prioritizing consumer privacy in software development. This is problematic as, currently, there is no economic incentive for eliminating exploitable flaws in software. Instead, vendors have evaded legal liability for customer damages by including language in their licenses/terms of services that eliminates the possibility of renumeration. In fact, in the case of Progress Software—whose product vulnerabilities led to more than 600 organizations being breached, compromising the privacy of 40 million people—the company has not faced any liability for customer losses. Rather, it has signaled that it intends to collect on a $15 million cyber-insurance policy without offering consumers a dime.

These discussions are not the first time the Biden administration has acted on cybersecurity. Software liability is a key part of the National Cyber Strategy, released in 2023. The strategy has nearly 70 goals to address important cybersecurity issues. These discussions highlight the need to shift the cybersecurity burden from consumers to manufacturers who understand the products best.

Furthermore, the recent software discussions are not the only time software and cyber professionals have convened on the White House. A few months earlier, the White House held “A Legal Symposium on Software Liability,” which saw academics and think tank experts considering the advantages of various legal approaches to software. The goal was to operationalize and enforce a standard of care and safe harbor for software developers who engage in strong cybersecurity practices.