Last month, the Biden Administration revealed its long-awaited National Cybersecurity Strategy (NCSS). The ambitious plan was grounded in five core pillars: Defend Critical Infrastructure, Disrupt and Dismantle Threat Actors, Shape Market Forces to Drive Security and Resilience, Invest in a Resilient Future, and Forge International Partnerships to Pursue Shared Goals.

The NCSS is the first step to protecting our nation’s critical infrastructure assets. The Administration has fostered tremendous industry discussions regarding software security and the best ways of building resiliency into the strategy. However, the industry awaits the operational details including requirements, deadlines, and funding. The true implications of the strategy will not be fully known until specifics are ironed out.

Over the next several weeks, Fortress will provide our thoughts, commentary, and recommendations on critical aspects of the NCSS. First up: the debate about software manufacturer liability and Safe Harbor protections.
The ears of cybersecurity and software leaders perked up when they heard the Administration say it would:

“Place responsibility on those within our digital ecosystem that are best positioned to reduce risk and shift the consequences of poor cybersecurity away from the most vulnerable to make our digital ecosystem more trustworthy by shifting liability for software products and services to promote secure development practices.”

We espouse a Safe Harbor philosophy. Policies that promote transparency are the answer, and those that foster retrenchment and fear will not make us safer or more resilient. Safe harbors reward organizations for employing cybersecurity best practices and incentivizing cyber-resilient behaviors.
We hope to see Safe Harbors that require:

  • Software Bill of Materials and Vulnerability Exploitability eXchange – SBOMs and VEXs are critical to building resiliency and establishing a proactive cybersecurity posture.
  • Minimum Standards – Baseline standards that promote the use of up-to-date software to reduce risks and vulnerabilities across all critical industries provide a clear blueprint for suppliers and vendors.

When the term liability gets dropped into a policy document, it attracts attention. And it should! We have seen the ramifications of software insecurity over the past several years. SolarWinds and Log4J vulnerabilities have highlighted the need for a fundamental accounting for every software component, especially those that can be pervasive across multiple industries.
However, the world of cybersecurity is truly unique. It requires perfection in an imperfect world. Strict liability standards tied to cyber performance are a recipe for legal gridlock and a barrier to innovation. Safe harbors are the answer to our nation’s cybersecurity challenges.

About Fortress Information Security

Fortress secures North America's power and defense supply chains from cyberattacks on operational and critical enterprise technologies. Fortress' proprietary technology platform orchestrates North America's most advanced cyber supply chain risk management and vulnerability management programs. Fortress operates the Asset to Vendor Network and the North American Energy Software Assurance Database, which give critical operators confidence that the products, services, and software they obtain from others are cyber-safe. Fortress is a Goldman Sachs portfolio Company.