It’s time to regulate: The U.S. must make software companies liable for breaches

The software industry has failed to sufficiently protect the public from data theft and misuse. It’s time for the U.S. government to get serious about regulation.

Last year, multiple U.S. government agencies established guidelines for improved cybersecurity hygiene. In May, the White House claimed “known but unmitigated vulnerabilities are among the highest cybersecurity risks faced by executive departments and agencies.” The same month, the U.S. Department of Health and Human Services advised industry constituents to create a software bill of materials to better understand if they were shipping products with known security vulnerabilities.

The U.S. Federal Trade Commission also reported that “outdated software undermines security,” recommending organizations “prioritize patches by severity” and employ a reasonable process to update and patch open source and third-party software in order to reduce the risk of a compromise. Similar guidelines have been offered recently by the Food and Drug Administration, the Department of Commerce, the Department of Defense, the Underwriters Laboratory, and the Department of Homeland Security.

While each of these policies provide sound recommendations, breaches continue at a record pace, providing evidence that, left to its own devices, industry is guilty of poor cybersecurity hygiene. Just as poor hygiene spreads disease across vast populations, poor cybersecurity hygiene inflicts digital casualties across our finance, healthcare, defense, energy, and automotive industries.

In Europe, regulators have taken significant strides to improve cybersecurity and data privacy practices, passing laws to hold organizations liable for poor cyber hygiene practices. In May 2018, the EU’s General Data Protection Regulation (GDPR) goes into effect. Article 32 of the GDPR states that organizations must “implement appropriate technical and organizational measures” to “ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services.” When combined with Article 25, which mandates that data protection measures be implemented “by design and by default,” it’s clear security must become ingrained in every element of IT and software development practices. Those failing to follow these rules and who subsequently experience a breach could be fined up to €20 million, or 4 percent of global annual turnover – the greater of the two.

Individual nations are also taking action. Just last month, both French legislators and the UK government announced tougher guidelines for IoT device manufacturers. The UK specifically demanded that security be built into smart devices from the very beginning and that software be automatically updated. The UK also released its National Cyber Security Strategy 2016-2021, declaring organizations “ultimately liable for the security of their data and systems” and subsequently issuing fines for gross negligence.

Similarly, in an effort to put more teeth into U.S. policies through regulation, Senators Mark R. Warner (D-VA) and Cory Gardner (R-CO) introduced a bipartisan bill in August called the “Internet of Things Cybersecurity Improvement Act of 2017.”

A large percentage of breaches today take advantage of weaknesses in software applications, much of which are preventable through automated security practices. My firm put together a report on the software supply chain in 2017, and we found that 80-90 percent of modern applications are assembled from open source and third-party components and that development teams with suboptimal hygiene inevitably use open source components with critical vulnerabilities. Last year, 5.5 percent (1 in 18) components downloaded from internet-based open source repositories contained known security vulnerabilities. We also found that organizations with automated hygiene practices reduced the presence of cybersecurity vulnerabilities in their applications by 69 percent.

Today millions of Americans suffer from breach fatigue. They see breaches as an inevitable side effect of using software connected to the internet. Our policy makers cannot accept the status quo as inevitable. It’s time for them to act.

Derek Weeks is Vice President at Sonatype.