Is liability for software security simple or complicated?
The federal government isn't quite sure.
We can’t allow the end user to be held liable for flaws in code…it's just that simple.
I don’t think we’re ready for a software liability regime from the White House into Congress now. I think this is going to take some time, we have to be thoughtful about this — and intentional — because this is complicated.
Who said each of these things?
The first one is from someone pushing for aggressive government regulation on software security standards, as proposed in the National Cybersecurity Strategy (NCS) and other fora, right?
And the second is from someone more skeptical of the effort, understanding the nuances of technology and that government mandates often have unintended side effects and drive perverse incentives, correct?
Wrong.
They are both from the same person (Acting National Cyber Director Kemba Walden) and from the same month (April 2023).
Despite all the preachy, vague, and at times hypocritical pronouncements echoing forth from the federal government about software security, this was an especially notable contradiction.
Could it be that only a few months into their push, federal officials are realizing that the government dictating cybersecurity standards to the nation’s technology sector isn’t quite as simple as it seemed?
Or are their talking points just not coherent?
In either case, I think this is cause for concern about their efforts.
The acting National Cybersecurity Director isn't the problem. The cybersecurity industry doesn't want it because why should they be liable for problems in their products when the rest of the software industry gets a pass? Imagine Microsoft, after years of writing bad code, now being held liable for it? That's why its complicated. It's not a government problem. It's an industry problem.