The Biden administration is considering legal and regulatory changes that would outlaw cybersecurity producers from shielding themselves from the consequences of cyber breaches using industry standard contracts clauses. These clauses, ubiquitous in the industry, limit damages with very narrow warranty remedies and outright damage caps. The reaction by most of industry to this idea has been mostly crickets.

The thinking behind this approach, under consideration by the Cybersecurity and Infrastructure Security Agency and the White House’s Office of the National Cyber Director (ONCD), is that market forces would strongly motivate cybersecurity companies to raise the bar in terms of safe cybersecurity design practices. The approach is unusual but not unprecedented — in 1975 the government outlawed what was viewed as abusive sales tactics by the automotive industry by creating so-called “lemon laws” that gave new rights to car buyers stuck with inherently defective automobiles.

This idea has been discussed by CISA and ONCD officials widely, at the recent RSA conference, at Blackhat and at other large industry gatherings. Industry has largely ignored the ramifications of the proposal, and while the White House has been transparent in its industry engagements to date, industry has said very little regarding this very significant change in commercial buying practices. The White House may release proposed legislation or other administrative policy later this fall.

Raising the cybersecurity resilience of commercial cybersecurity products is an important outcome, but the issue is whether government intervention to change longstanding industry contracting practices is the right approach. It is a prime example of the use of acquisition policy to drive a specific societal objective.

The Baroni Center for Government Contracting at George Mason University has joined a group of academics commenting on this issue. We are exploring the costs and benefits and, to date, our research suggests that modernizing industry “standards of care” under tort law, as distinguished from contract law, that define such concepts as “engineering malpractice” may be better suited to drive the goals of ONCD.

Adoption of voluntary, industry-led design standards “enforced” by a modernized tort-based framework would create exactly those kinds of market incentives that would expedite industry’s adoption of modern and robust “cyber by design” engineering practice, without disrupting established commercial contracting practices.

While we are not necessarily fans of the mass tort bar, they do, as a group, have the experience and tools available to impact industry behaviors in a free market economy outside of express government intervention into the wheels of commerce.

Illustrating the real-world consequences of these issues is the recent litigation by the newly expanded Justice Department government contract fraud enforcement unit against Georgia Tech. This recent lawsuit is pursuing civil fraud remedies against Georgia Tech for failing to properly implement established security controls and by filing a misleading cybersecurity “self-assessment” with the government.

Fale Claims Act liability is nothing to trifle with. If found guilty, Georgia Tech could be banned from pursuing both new government contracts and could be “suspended or debarred” from existing government contracts.

ONCD and its team are to be commended for their industry dialogue; however, it would seem prudent for industry to be more involved in what could become a sea change in the way they sell cyber technologies to government.

Richard Beutel is a senior researcher at the George Mason Baroni Center for Government Contracting and the founder of Cyrrus Analytics LLC. As a congressional staffer, Rich was the original author of the Federal IT Acquisition Reform Act (FITARA) and is a nationally recognized expert in IT acquisition management and cloud policy with 25 years of private sector experience and more than a decade on Capitol Hill working on IT acquisition issues.

The post How should software producers be held accountable for shoddy cybersecurity products? first appeared on Federal News Network.

X