2023 Cybersecurity Strategy

This month, the Biden Administration released the 2023 National Cybersecurity Strategy. The document contained unspecific recommendations, relying more on general public policy initiatives to come. Hopefully more documentation on implementation is yet to come. There are three notable objectives to keep an eye on:

Objective 3.1: "Hold the Stewards of Our Data Accountable"

This objective suggests considering federal data privacy legislation; however, states still have trial-and-error work to do among various approaches. Will the administration support a comprehensive CCRA/GDPR-style model or something closer to a Virginia model? Alternatively, Congress could fail to act, leaving states – and privacy attorneys with big spreadsheets – with 50 privacy statutes like it did regarding Data Breach Notification Statutes.

Objective 3.3: "Shift Liability for Insecure Software Products and Services."

In addition to the clear call for SBOM usage, the administration supports shifting liability from end-users to "those entities who fail to take reasonable precautions," i.e., vendors. This objective raises concerns of regulatory standards – or the lawyerly "reasonableness" standard – that may be unattainable for small and medium-sized vendors. Moreover, it is unclear whether open-source software communities, which contribute 70-90% of modern commercial software, could also be subject to liability.

The liability theory in Objective 3.3 dates back at least a century to the famous tort law case Macpherson v. Buick, which established a duty of care for foreseeable harm and eliminated the necessity of privity between automobile manufacturers and end-users. Applying MacPherson v. Buick principles to software liability suggests that software developers and producers may owe a duty of care to end-users and be held liable for negligence in their products. This includes reasonably foreseeable harm and doesn't require a direct contractual relationship between the injured party and the developer. However, applying these principles is complex due to the intangible nature of software and the abstract nature of "harm" in a data sense. Courts and lawmakers have much line-drawing to do, but nonetheless, the open-source community and software vendors should be on edge.

Objective 3.6 "Explore a Federal Cyber Insurance Backstop"

A federal cyber insurance program could be problematic due to its potential similarity to "too big to fail" bank and auto manufacturer federal backing. Just as these insurances encourage moral hazard, a federal cybersecurity insurance might inadvertently incentivize complacency in implementing robust security measures among businesses. Companies may rely excessively on the insurance rather than investing in proactive cybersecurity practices, thereby increasing overall risk. Furthermore, the government's involvement in covering losses could burden taxpayers and create systemic risks, as seen in the financial crisis. Such a program must carefully balance risk management, financial stability, and public accountability to avoid these pitfalls.

Another argument against this federal insurance program is that it guarantees a payday for hacked systems.