Can a White House initiative compel tech companies to write safer code?
Microsoft debuted Exchange Server 27 years ago at a time when companies were just beginning to introduce email into the workplace. Allowing companies to run on-premise email servers, Exchange Server was an immediate game changer, helping to usher in a new era of digital communication. But it also brought grave new risks.
Since 1999, security researchers have logged at least 189 vulnerabilities in Exchange Server. There are likely many more but that was the first year that researchers began recording such flaws on the CVE List. In 2021 alone, Microsoft disclosed 31 Exchange vulnerabilities, its highest annual total. Using four of them, Chinese state-backed hackers utilized Exchange for a sprawling campaign targeting U.S. law firms, think tanks and defense contractors that hit perhaps as many as 30,000 targets. And last year, hackers returned to hit Exchange, targeting a flaw that Microsoft had failed to fix.
Over nearly three decades, Exchange vulnerabilities have opened up businesses and government agencies to countless hacks, costing many millions of dollars and putting Americans at risk. Despite these enduring problems, Microsoft faces no real penalties beyond reputational harm for its security failures — nor do other software companies. When a consumer buys a piece of software, the terms of service will almost always exempt the provider from liability if something goes wrong.
That could be about to change. In recent weeks, the Biden administration has opened the door to reforming some of the basic economic incentives of the software industry. In its recently released cyber strategy, the Biden administration called on Congress to develop legislation to develop a software liability regime, one that would allow consumer and businesses to sue software makers if they fail to take proper care in designing the security of their tools. Software companies, if the White House has its way, will no longer be able to disclaim liability for the products they produce.
Building secure products is expensive and time consuming, and many experts have long argued that there is little reason for companies to prioritize security over speed in the development process. “The economic incentives are all wrong,” says Bruce Schneier, a public interest technologist and the chief security architect at the firm Inrupt. “If you want these companies to spend money on security — to reduce their earnings — it has to be worth it.”
Three decades after its launch, Microsoft Server Exchange remains buggy, hard to fix and prone to attack, and that has led many security experts to conclude that Microsoft simply isn’t putting the necessary resources into maintaining a product that remains a crucial piece of enterprise infrastructure.
In responding to the breaches of 2021, the company’s “security and customer support teams worked around the clock to support customers as they updated their systems,” a Microsoft spokesperson said, noting that the company continues “to support on-premises customers to move to a supported and up-to-date version.”
Errors in code are inevitable. The failure of software makers to put sufficient resources toward security, however, is making it far harder than it should be to harden computer systems, said Trey Herr, who directs the Cyber Statecraft Initiative at the Atlantic Council. “Users shouldn’t have to be triaging a Swiss cheese product,” he said. “Software will always have bugs but recurring faults, in the same way, in the same place, in the same product, are an issue of bad development practices.”
By embracing liability reform, the Biden administration is trying to shift how big software companies allocate their resources. “Liability is about sharpening the incentives for better development and shifting that burden away from users,” Herr says.
The past decade of cybersecurity policy discussion in Washington has largely focused on information sharing regimes and voluntary best practices, but with its recently released strategy document, the Biden administration is attempting to usher in a new framework for cybersecurity policy, one focused on more stringent regulation. Overhauling software liability sits at the center of that project.
In rolling out the strategy, Kemba Walden, the acting director of the Office of the National Cyber Director, emphasized that it marks a shift in how Washington thinks about cyberspace: “We can’t just think in terms of national security, we also have to think of cyberspace in terms of political economy.”
“Right now we live in the context of first-to-market, not secure-to-market,” Walden said during a recent appearance at the Center for Strategic and International Studies. “What we are trying to achieve is a competitive advantage for those that build in security by design.”
Achieving that goal, however, requires working with Congress, and that means that the centerpiece of the Biden’s cyber strategy faces a highly uncertain future.
With Republicans in control of the House of Representatives, passing a regulatory framework is highly unlikely in the near term. After the strategy document’s release, key Republicans in the House of Representatives immediately criticized it as yet another Democratic power grab for the regulatory state. “It’s no surprise that this Administration’s desire for more regulation, bureaucracy, and red tape is a consistent theme in the National Cybersecurity Strategy,” Reps. Andrew Garbarino, R-N.Y., who chairs the House Subcommittee on Cybersecurity and Infrastructure Protection, and Mark Greene, R-Tenn., the chair of the House Homeland Security Committee, said in a joint statement.
This hostile legislative landscape and the thorny technical questions that need answering has Biden administration officials speaking about the passage of a software liability reform package as a long-term project, one that might take up to a decade to shift the burden of securing software from end users to technology companies. Walden says figuring how to get the balance right will require a “multi-year, multistakeholder process” and help from Congress and software companies.
In writing a software liability policy, the central question that policymakers need to address is how to configure its safe harbor provision. The Biden administration’s strategy document proposes that if companies abide by some set of secure software development rules, then they won’t be subject to liability. By following a higher standard of care, the thinking goes, software companies will tend to build more secure software, and the liability exemption functions as the incentive to get them to abide by that standard.
The offer to the software industry is a simple one: Follow these rules for writing more secure code and you won’t get sued. Exactly what those rules look like will make a big difference as to whether a software liability regime delivers actual security dividends. “The devil is in the details, and the strategy doesn’t have a lot of them,” Schneier says.
The idea of software liability reform isn’t new — academics have been writing about it for at least 35 years and Schneier for the last 20 — and secure development frameworks already exist. The National Institute of Standards and Technology has developed one such set of practices. The Business Software Alliance, an industry group, has built another. Microsoft has put together yet another.
But how to marry these technical frameworks with a legal liability regime that manages to address the sprawling software industry represents a huge open question. In an ideal world, a liability regime would force software companies to reduce the amount of sloppy and easily avoidable errors in their code, but as a 2016 report from NIST observed, “defining sloppy and easily avoidable is not a trivial matter.”
Among other challenges, according to Herr of the Atlantic Council who has written extensively about the issue, are ensuring that a liability regime “does not place new burdens open source developers, who have little control over who uses their code in critical applications” and that “liability eventually applies to the whole software industry, including cloud service providers and manufacturers like automotive companies.”
“Software is software even if it controls your brakes and plays Danny Boy on the radio,” Herr says.
Security researchers broadly agree that it’s important that a future software liability regime does not expose open source software developers to lawsuits, but at the same time, software makers are continuing to ship code that relies on software libraries with known vulnerabilities. “That’s just no longer acceptable,” says Megan Stifel, the chief strategy officer for the Institute for Security and Technology.
The resource trade-offs between security and other aspects of software development becomes particularly hard to balance for start-up companies. Stifel will sometimes advise startups, and when she brings up the need to address security concerns, “they sort of look at you like you’re nuts,” she said.
Biden officials have encapsulated the shift they’re trying to achieve with a pithy phrase — “you want to be secure to market, not first to market.” Jeff Greene, who oversaw the defensive cybersecurity portfolio on the National Security Council until July and now works at the Aspen Institute, calls that “an unrealistic aspiration in a capitalistic market,” even if security should be a concern for developers.
Since the strategy’s release, Biden officials have emphasized that they want any potential liability regime to focus on big infrastructure providers in the software ecosystem. Anjana Rajan, the assistant national cyber director for technology security, said during an appearance last week at the BSA — whose members are among those at risk of being sued under a software liability regime — that when technology start-ups rely on infrastructure companies like Amazon Web Services and Twilio, they should be able to expect that these companies are delivering secure products.
Liability for software vulnerabilities, she argued, should be tuned to the degree of importance a company has in the software ecosystem. “It’s not a one-size-fits-all solution,” Rajan said. “We’re going to calibrate responsibility based on your responsibility.”
Big companies like Microsoft — with large legal teams accustomed to abiding by regulatory regimes — are already incorporating the type of secure software development standards that would qualify firms for the safe harbor provision. Taking the example of the Exchange vulnerabilities, as long as Microsoft can demonstrate that it abided by those standards in developing the software, it would not face liability — at least in theory.
Raising the standard of care in the software industry might result in security improvements in the aggregate, but individual companies may still escape liability so long as they can demonstrate that they comply with the provisions of the safe harbor.
For now, the technology industry responded in surprisingly muted tones to the idea of a liability regime. Henry Young, the director for policy at BSA, described himself as optimistic about how a liability regime might develop. “In order to sell products and services, customers need to trust them,” he said. “We might need to drive some of the less security conscious companies to be more security conscious.”
“I have not spoken to a single person in industry that doesn’t think they can do better,” he added.
Even Microsoft sees the gesture toward liability reform as a positive. “We welcome the strategy’s aim to ensure that technology providers are accountable for using security best practices when developing and managing software and digital products” Tom Burt, Microsoft’s corporate vice president for customer security and trust, wrote in a blog post.
Should Congress take up this issue, the stakes of this fight will dramatically increase, as the giant U.S. software industry scrutinizes a proposal that would reshape the legal basis on which it does basis. Briefing reporters after the strategy was released, John Miller, a senior vice president at the Information Technology Industry Council, offered a preview of the argument big business is likely to marshal: “Whenever you start distorting market incentives you could end up getting the opposite result than what you were hoping for.”