New Cybersecurity Strategy Shifts Breach Responsibility to Vendors, Software Providers


By staff writer.

The White House wants to shift the responsibility for cybersecurity away from individuals and small businesses to entities that hold onto personal data, software makers and vendors. US President Joe Biden said the stakeholders best placed to prevent bad cyber outcomes needed to take more of the burden to prevent them.

His comments accompanied the release of the US National Cybersecurity Strategy 2023 on March 1. Calling the 2020s a “decisive decade” for cybersecurity, a statement from The White House following the strategy’s release said the US will “reimagine” cybersecurity and reshape how roles, responsibilities, and resources are allocated.

“We face a complex threat environment, with state and non-state actors developing and executing novel campaigns to threaten our interests,” reads the statement. The strategy revolves around five pillars – defending critical infrastructure; disrupting and dismantling threat actors; shaping market forces to “drive security and resilience”; investing in the future; and pursuing international partnerships with like-minded allies.

The ambition to shape market forces has sparked the most immediate response. “Continued disruptions of critical infrastructure and thefts of personal data make clear that market forces alone have not been enough to drive broad adoption of best practices in cybersecurity and resilience,” the strategy notes.

“The Administration will work with Congress and the private sector to develop legislation establishing liability for software products and services. Any such legislation should prevent manufacturers and software publishers with market power from fully disclaiming liability by contract and establish higher standards of care for software in specific high-risk scenarios.”

The White House also wants to hold what it calls “the stewards of our data” accountable for data breaches, saying all too often, individuals who deal with those entities are left to deal with the consequences of cyberattacks. The White House says when entities holding onto data fail to protect it adequately, they “externalise the cost,” and often to people who will experience disproportionally high levels of harm from cyber breaches.

“Too much of the responsibility for cybersecurity has fallen on individual users and small organisations,” said Biden. “We will re-balance the responsibility to be more effective and equitable.”

Edgard Capdevielle, CEO of California software company Nozomi Networks, welcomed the strategy, saying it underscores “we are all on the same team.” But he said attempts to shift responsibility will be met with varying responses from CEOs and will take time and money, something that The White House needs to consider.

“The National Cyber Strategy’s non-voluntary requirements for critical infrastructure to increase cybersecurity posture will be met with varying responses from CEOs and boards alike,” he said. “While the impetus for a better cyber posture to defend against potential nation-state adversaries is wise and necessary, the ability for these entities to identify the budget and personnel to manage these pieces will take time, as it is for most companies in this macroeconomic climate.”

The White House says the strategy’s implementation is already underway and that the Office of the National Cyber Director will oversee it.