At the beginning of March, the US government released yet another page from their software supply chain security playbook in the form of a document called National Cybersecurity Strategy 2023, which is based around five key tactics:
- Defend critical infrastructure and services
- Counter threat actors globally
- Incentivize the market to secure their software supply chains
- Invest in next-gen cybersecurity solutions
- Work with allies and partners worldwide on the above tactics
But it’s the third tactic that’s generating the most controversy since it is meant to:
- Limit software vendors’ ability to contractually disclaim liability for poor software security.
- Increases the likelihood that software vendors will be held liable for insecure software development and maintenance practices.
In the triangulated relationship between open source developers, software vendors and customers, the one that always bears the brunt of poor software supply chain security is the customer, who has been subject to a rising tide of ransomware attacks and cybersecurity incidents since the start of the pandemic in 2020. In the case of the US government, that impact has been felt most pointedly on their national infrastructure, such as the ransomware attack on the Colonial Pipeline in 2021, as well as multiple cybersecurity incidents at government agencies due to the Solarwinds and Microsoft Exchange Server hacks.
While the onus ultimately rests with the creator of the vulnerable software, the responsibility cannot be attributed solely to open source developers that make software available free of charge. Instead, the US administration believes that fines can be a key way to incentivize software vendors and service providers who are currently unwilling to secure their software supply chains.
Today, software & service providers typically pass the risk of using their product to the user via an End User License Agreement (EULA). As a result, they rarely face legal consequences when a security flaw is exploited by a hacker, even when that flaw was long-known to the company. If the US government has its way, this long standing tradition may no longer offer software vendors the same level of protection against lawsuits.
Secure Software Supply Chain Legal Liabilities
Too many software vendors prefer to “move fast and break things” rather than perform their due diligence when it comes to security, and then rely on their EULA to effectively act as a CYA mechanism. It’s just this kind of behavior that the US government is targeting with their proposed legal liability legislation, which would limit the ability for software vendors to shift risk onto end users.
But the legislation also proposes a Safe Harbor framework that rewards those vendors who do the work to ensure their software is securely built and maintained. This would entail spelling out a set of requirements that define the minimum bar of a “secure product/service,” which could then be enforced through the courts. At that point, companies who meet these security standards would be able to claim liability protections, while those that cannot meet the standards would face greater risk of claims for their inability to address security flaws, secure their software supply chain, patch vulnerabilities in a timely manner, and so on.
This kind of “carrot and stick” approach can be a key way for software companies to create differentiation from their competitors, while taking advantage of proposed “public-private collaboration in defending critical infrastructure and public safety and defending and modernizing federal networks and federal incident responses” to gain new business opportunities.
Software suppliers to the US government have been given a deadline of June 11, 2023 to meet secure software supply chain requirements, and are already taking steps to secure their software. As such, they will likely have a leg up on their competition already, while being well positioned to capitalize on the proposed Safe Harbor framework.
Of course, getting the proposed legislation through Congress may be challenging since the US has always been reluctant to impose restrictions on the software market in order to avoid constraining innovation. But without some mechanism in place, software companies are likely to continue established practices, which is how the crisis in the software supply chain got a foothold in the first place.
It should be obvious by now that the world’s governments in general (and the US government in particular) are serious not only about encouraging software developers to secure their software supply chain, but also about passing legislation that has the teeth needed to force vendors to make security a priority.
To date, we’ve seen the speed with which the US government has put in place procurement requirements for software vendors, and now we’re seeing them starting to flex their legal power, as well. By now, the message should be clear: secure your software supply chain or pay the penalty, either by being locked out of the US market or through fines.
Frameworks like SLSA can help ISVs fast track software supply chain security, as can the ActiveState Platform, which offers a zero-config, cross-platform build service for open source language runtimes. The ActiveState Platform’s secure build service provides controls to meet the highest SLSA standards (Build Level 3) currently available, while delivering SBOMs and software attestations to help decrease the cost and risk of working with open source dependencies. .
Read Similar Stories
Watch a video on how to use the ActiveState Platform to create a Python 3.9 environment, and then install it into a virtual environment.