Liability and the 2023 National Cybersecurity Strategy
By Joe Billingsley
March 6, 2023
The first time I publicly shared my unpopular policy recommendation to encourage the growth of more cyber lawyers, and why, was while serving on a 2016 panel at George Washington University organized by the Cyber Security Forum Initiative (CSFI). Since then, when appropriate, I have shared the concept with those few who live in the exciting place straddling national policy and cyberspace. It was thus with great satisfaction that I heard the same concept being articulated, almost word for word, by the Acting National Cyber Director last week as she announced the publication of a new National Cybersecurity Strategy.
Within the third pillar of the aforementioned strategy, entitled Shape Market Forces to Drive Security and Resilience, the role of liability is addressed at a depth appropriate for a strategy of this level. In fact, there is an entire numbered strategic objective dedicated to this topic; 3.3: Shift Liability for Insecure Software Products and Services. In this article, I will briefly unpack and explain some of the economic dynamics underpinning the role of liability within the strategy, so far as I believe I understand it. The concepts presented here are general in nature and a result of my years of structured research and informal conversations with a broad array of those touching various aspects of cybersecurity from the software developer in Silicon Valley to the policy developer in the White House. As a disclaimer, please note that I am not a lawyer, not utilizing any protected information, and not expressing opinions for any person or entity other than myself.
Many would agree that the core, enduring, and interrelated interests of the United States, which are security and prosperity, depend on cyberspace in the 21st century. Every piece of modern networked technology, since it is itself made up of layers upon layers of complex and ever-changing technologies, is inherently rife with vulnerabilities to be exploited. Hence, #EverythingIsHackable. Vulnerabilities are, whether apparent or not, commonplace. That cyber attack surface, as some in the military cyber community may think of it, can be minimized by adequate investment in security-informed design upfront, and robust testing and evaluation before the product, service, hardware, and/or software goes to market. Such prudent activity costs time and money, however. Since no business operates in a vacuum without competitors, there is a time-sensitivity to get one’s offerings to market.
Instead of sufficiently investing to mitigate vulnerabilities upfront, too often, a business decision is made to transfer the risk and associated costs onto the citizenry…real people, their families, and their communities. In more mature industries, such as automobile or food, business decisions that result in harm to consumers would intuitively result in accountability through lawsuits and recalls. The known risk of legal and financial consequences forces business in those industries to reevaluate their business decisions and raise standards. In short, haphazardness is deterred.
At a societal level, why has this deterrent effect not yet permeated the tech industry? I argue that it is mainly because we do not have enough lawyers that sufficiently understand cyberspace. Hear me out. These cyber lawyers, as we may refer to them here for shorthand, are extremely rare because they need to be proficient in two very different fields, each of which is difficult enough in its own right. Knowledge of cyberspace and the technologies that undergird it is commonplace amongst lawyers today but is insufficient for the task at hand. A deeper understanding is needed for these challenges. Whether people know it yet or not, if industry is to be held to account for harmful business decisions, the need for cyber lawyers is great. Since there are so few of these cyber lawyers, though, the law of supply and demand applies. Therefore, the average person with a legitimate grievance will not be able to find nor afford such a cyber lawyer unless we grow many more of them to make their services more accessible. Few others outside the tech industry will be able to afford them if their numbers remain so low. Such an imbalance in favor of the industry puts the consumer, or user, to great legal disadvantage.
Based on the above rationale, the lack of cyber lawyers is a critical gap that has resulted in an unfairly and unnecessarily risky cyberspace. Continuous theft, intellectual or otherwise, enabled by this phenomenon of systemic cyber insecurity undercuts the motivation for innovators to innovate. At a macro level, the above dynamic erodes America’s geopolitical competitive advantage of technological innovation fueled by economic reward. At a micro level, individuals are harmed directly or indirectly, be it through outright theft of one’s assets or opportunities.
It goes without saying that the lack of confidence in one’s own systems or suffering kinetic effects enabled by unnecessary cyber risk is, from a national defense perspective, unacceptable. It is also unsustainable since we will never be able to afford generating enough cyber protection assets to keep up with the torrent of malicious cyber activity without changing the risk calculus at the technology’s source. By pursuing this upstream legal approach, the strategy effectively takes advantage of the fact that cyberspace, unlike the others, is a manmade domain.
I believe the line of thinking outlined above is an underlying component of the Cyber Social Contract concept introduced last year by the inaugural National Cyber Director, Chris Inglis. As the White House’s Office of the National Cyber Director sets forth to put this strategy into effect, they are likely to meet industry opposition. As can be imagined, nobody likes the idea of potentially being sued. Therefore, it would be surprising if applicable businesses in the private sector did not jump into subtle action to counter this component of the strategy, including leveraging their considerable assets like lobbyists, business leagues, and their own army of cyber lawyers.
Since no policy decision is without tradeoffs and unintended consequences, the rate of innovation within industry is likely to suffer in the near-term as industry reassesses approaches and conforms to the new environment. While the general notion of rate of innovation is left undefined and measurement unspecified here, one can associate it with two characteristics: a benefit to the public good and return on investment. Smaller businesses, normally seen as an engine of innovation, are not as well positioned to respond to the applicable policy changes since more investment into designing, testing, and evaluating efforts eat into their very finite resources. The opposite could be true, though, depending on the organization since smaller firms are typically much quicker to adjust to changing circumstances. That is in comparison to adapting to change across larger organizations, which is commonly likened to turning an aircraft carrier. The strategy seems to address the small business concern, but we will have to see how that is actually accomplished during implementation.
Regardless, an attuned observer could predict that those wishing to blunt the intended effects of the liability aspect of this strategy will prefer implementation through Executive Order (EO) as opposed to law. The main reason for this preference is because an EO is signed by the President of the United States, and enforcement is generally limited to what the executive branch can affect, such as what purchases are made by government agencies. While the federal government can exercise disproportionate market influence in certain industries that heavily depend on them, such as with the manufacturers of tanks and battleships, this is not the case in the tech industry that generally enjoys a very broad non-governmental customer base.
While quicker and easier to adopt since this is a national strategy already signed and endorsed by the President, the effect of an EO is inherently limited in scope and lacking permanence since it can be easily overturned by the next Presidential Administration. Law, on the other hand, is more widely enforceable and intended to withstand the test of time. Since we have a divided government, with the House of Representatives under Republican leadership and the White House and Senate under Democrat, such a law (or series of laws) would have to be bipartisan in nature. Since cybersecurity is usually seen as a rare instance of bipartisanship in DC, there is a real opportunity for such a law to be enacted and the full intent of the strategy to be met.
The below visualization is intended to encapsulate the above discussion and convey the predicted trajectory of the rate of innovation depending on the given course of action (COA) to implement the liability related aspects of the strategy. One COA is the status quo, operating at a stable enough rate of innovation until the continued state of cyber insecurity eventually slows it down. Another COA is the EO route, as discussed, which is easier to implement but with lessened long-term reliability and impact. The law-based COA does meet the same lessened rate of innovation in the near-term as the EO approach, but after the initial period of readjustment, is expected to provide a much greater sense of legal confidence within which increased rates of innovation are enabled.
With 27 numbered objectives contained within the strategy, it is clear that there are many other interdepended aspects of this strategy worth discussing. Some of those topics, clearly related to what we discussed here, may be cyber insurance, a bureau of cyber statistics, foreign interests and influence on the strategy implementation effort, self-regulation within free markets, and more. However, those topics fall outside the scope of this short and focused article.
Those educated at American war colleges are familiar with three elements that make up an effective strategy: ends, ways, and means. Within the context of this strategy, we can think of the minimizing of the attack surface as an end achieved through upstream legal action, which is the way. However, the key component that has been missing in sufficient quantity has been the means in the form of cyber lawyers. As long as these ends, ways, and means remain out of balance, unnecessary risk will endure. Therefore, anyone genuinely interested in pursuing this strategy must heavily and specifically invest in growing a much larger pool of the people who can accomplish the intended outcomes.
With that in mind, we should be encouraged that the Department of Defense Cyber Workforce Framework and associated National Initiative for Cybersecurity Education (NICE) version carve out a law-focused work role. Now we will see if more liberal arts oriented lawyers get into cyber, as has often been the case to fill vacancies. Alternatively, and maybe more optimally, we may see more STEM (science, technology, engineering, and mathematics) oriented cyber professionals get into law. Either way, I am looking forward to seeing the continued maturation of this field.