In Early March, the Biden Administration released their "National Cybersecurity Strategy," a roadmap for "a safe and secure digital ecosystem for all Americans," which "reimagines cyberspace as a tool to achieve our goals in a way that reflects our values: economic security and prosperity; respect for human rights and fundamental freedoms; trust in our democracy and democratic institutions; and an equitable and diverse society."
One of the main focuses of the strategy, as noted in the Fact Sheet on the White House's website, is "shifting the burden for cybersecurity away from individuals, small businesses, and local governments," and instead putting the responsibility in the hands of the software and hardware manufacturers, i.e. "Big Tech".
"It will rebalance the responsibility for managing cyber risk onto those who are most able to bear it," said Acting National Cyber Director Kemba Walden.
"Today, end-users bear too great a burden for mitigating cyber risks," the official Strategy document states. "A single person's momentary lapse in judgment, use of an outdated password, or errant click on a suspicious link should not have national security consequences. Our collective cyber resilience cannot rely on the constant vigilance of our smallest organizations and individual citizens."
The third pillar of the strategy, "Shape Market Forces to Drive Security and Resilience," includes Strategic Objective 3.3, "Shift Liability for Insecure Software Products and Services."
In this section, the Administration notes that "Too many vendors ignore best practices for secure development, ship products with insecure default configurations or known vulnerabilities, and integrate third-party software of unvetted or unknown provenance," before continuing that "We must begin to shift liability onto those entities that fail to take reasonable precautions to secure their software while recognizing that even the most advanced software security programs cannot prevent all vulnerabilities."
The Administration pledges to work with Congress to codify into law legislation that would put the onus of liability onto the software producers.
"Any such legislation should prevent manufacturers and software publishers with market power from fully disclaiming liability by contract, and establish higher standards of care for software in specific high-risk scenarios," the released strategy states.