Congress should pass a law to hold companies accountable for developing information technology products that don’t follow cybersecurity best practices, Rep. Jim Langevin, D-R.I., said.
“Right now, especially on the software side, there’s a rush to be first to market versus a focus on being secure to market,” Langevin, chairman of the House Armed Services Committee’s panel on emerging threats, said in an interview with Nextgov. “We want to change that dynamic, flip it around so that the final goods assemblers have some skin in the game, if you will, that requires them to have some liability for what they’re putting out there.”
A final goods assembler is the sole legal entity that is attached to a finished product and enters a license agreement with the end-user. The finished products covered by the law would not be limited to physical devices such as laptops and smartphones, but also operating systems, applications and connected industrial control systems, according to the Cyberspace Solarium Commission’s final report.
The non-partisan, public-private commission, which includes Langevin as a member, addressed the liability issue in one of its more than 80 recommendations for improving cybersecurity. The commission urged a new law to establish “final goods assemblers of software, hardware, and firmware are liable for damages from incidents that exploit known and unpatched vulnerabilities for as long as they support a product or service.” Though a number of the commission’s recommendations were proposed as amendments to the National Defense Authorization Act, the liability recommendation was not. Establishing any kind of liability within the software industry, in particular, has been a tall order, experts note. But while the NDAA is the most immediate vehicle for turning their recommendations into law, members of the commission said they plan to continue introducing standalone bills to get as many through as possible.
“User agreements that the public click on typically absolves them of any liability,” Langevin said, explaining the approach the commission took, which leaves room for the industry to make its own business decisions while providing a recourse for consumers, including the government.
“If you think of it in terms of a car, we’re not dictating what vulnerabilities need to be addressed, that is a business decision to be made by the company that is the final goods assembler that sells the product to the public or the government,” Langevin said. “But if they sell a car that has faulty brakes or seatbelts, if they’re knowingly selling an item with defects, if there are known vulnerabilities, that’s a key point.”
Langevin points out that, just as in selling a car, not all defects are on the same level. Brakes or seatbelts are very different from a broken visor, for example.
“Not every known vulnerability will lead to serious consequences,” he said. “That’s going to be up to the final goods assembler to make that determination. They may say a known vulnerability is minor, it’s not going to cause any traffic harm, we’re good with selling it. If something consequential does happen though, it gives the consumer a path forward to hold somebody accountable.”