The acting National Cybersecurity Director isn't the problem. The cybersecurity industry doesn't want it because why should they be liable for problems in their products when the rest of the software industry gets a pass? Imagine Microsoft, after years of writing bad code, now being held liable for it? That's why its complicated. It's not a government problem. It's an industry problem.
And making that regulation work properly is certainly a government problem. The fact that the ostensible head of federal cybersecurity says opposite things about this problem in the same month shows a lack of understanding of the topic and fuels my concerns.
Jeffrey, regulation is one thing, but that's not what we're talking about here. I'm sure the software industry will accept regulation, as long as they can have a hand in drafting it. But what Kemba Walden was proposing was somehow rejiggering the whole concept of liability so that the software supplier was always going to be presumed responsible for a breach, although mitigating factors could be introduced at that point. In other words, guilty until proven innocent.
So, if the customer had never applied a single patch from the supplier and got breached because of that, the supplier would still be presumed to be at fault up front.
Last time I checked, in the US, liability is determined in a court of law by a judge or jury, not by someone in the White House. Moreover, neither party is presumed to be liable without a trial to determine that. I think it would be a good idea to leave that principle in place.
And in practice, Walden's (and Easterly's) proposal would have gone nowhere, since it would be such a radical departure from American legal principles. The amazing thing to me was that anyone in government would even make such a proposal, or that so many people would swallow it.
The acting National Cybersecurity Director isn't the problem. The cybersecurity industry doesn't want it because why should they be liable for problems in their products when the rest of the software industry gets a pass? Imagine Microsoft, after years of writing bad code, now being held liable for it? That's why its complicated. It's not a government problem. It's an industry problem.
Don't get me wrong, I am not against all regulation. I laid out my concerns with this Administration's approach and provided an alternative one here: https://www.blog.deploy-securely.com/p/what-software-security-regulation.
And making that regulation work properly is certainly a government problem. The fact that the ostensible head of federal cybersecurity says opposite things about this problem in the same month shows a lack of understanding of the topic and fuels my concerns.
Good post, Walter.
Jeffrey, regulation is one thing, but that's not what we're talking about here. I'm sure the software industry will accept regulation, as long as they can have a hand in drafting it. But what Kemba Walden was proposing was somehow rejiggering the whole concept of liability so that the software supplier was always going to be presumed responsible for a breach, although mitigating factors could be introduced at that point. In other words, guilty until proven innocent.
So, if the customer had never applied a single patch from the supplier and got breached because of that, the supplier would still be presumed to be at fault up front.
Last time I checked, in the US, liability is determined in a court of law by a judge or jury, not by someone in the White House. Moreover, neither party is presumed to be liable without a trial to determine that. I think it would be a good idea to leave that principle in place.
And in practice, Walden's (and Easterly's) proposal would have gone nowhere, since it would be such a radical departure from American legal principles. The amazing thing to me was that anyone in government would even make such a proposal, or that so many people would swallow it.