Global Trends in Cybersecurity Policy: The Case of Internet Security Liability
Increasing the resilience of cyberspace and strengthening cybersecurity policies have become increasingly urgent priorities as countries adjust to the realities of the digital economy. The United States, Japan, and the European Union have developed a wide range of cybersecurity strategies, which can be roughly categorized into six areas: (1) protecting critical infrastructure; (2) responding to cyberattacks (developing systems for monitoring, information sharing, incident reporting and cybercrime investigations); (3) securing information technology (IT) products and services, including supply chain security, creating Software Bill of Materials (SBOMs), developing consumer labeling programs for internet of things (IoT) products, and support for standardization; (4) investing in cutting-edge technologies, such as artificial intelligence (AI), quantum computing, and space communication; (5) developing a cybersecurity workforce; and (6) promoting international cooperation (examples include the Convention on Cybercrime, responsible state behavior in cyber space, technology standards, and technology support).
This commentary focuses mainly on the third category, securing IT products and services, which underpins the security of cyberspace.
The March 2023 U.S. National Cybersecurity Strategy, the first in five years, lists several priorities including the suggestion that service providers should make reasonable attempts to prevent the use of their infrastructure by malicious actors, and calls for implementing a risk-based approach to cybersecurity (Strategic Objective 2.4). Executive Order (EO) 13984, referenced in the strategy, calls for verifying the identification of Infrastructure as a Service (IaaS) customers and prohibiting the provision of services to certain countries or individuals as requested by the commerce secretary in Section 2(d) of EO 13984. However, there are many challenges in implementing this EO, and the Biden administration needs to work with stakeholders to untangle concerns about additional requirements and the protection of privacy. Another priority as noted in a White House press release relates to shifting the burden for cybersecurity from individuals, small businesses, and local governments to “the organizations that are most capable and best-positioned to reduce risks.” In particular, the administration aims to “develop legislation establishing liability for software products and services” (Strategic Objective 3.3 in the National Cybersecurity Strategy). The previous cybersecurity strategy promoted “best practices” to adopt secure technologies in the marketplace. Currently, some guidelines or frameworks to develop secure software are provided, but they are based on voluntary efforts of software producers. In contract practices, license agreements usually set the limitation of liability. The new strategy suggests that current practices might introduce vulnerabilities into the market by ignoring best practices. To prevent such a trend and encourage secure software development, it attempts to establish certain standards and legislative liabilities for manufacturers and software producers. This is a significant change as the government is attempting to intervene and define responsibilities determined in contracts.
The European Union has also discussed the liability of software producers. A draft of the Cyber Resilience Act (CRA), published in September 2022 and based on the EU Cybersecurity Strategy, introduces strict measures with regulations established by legislative means. The CRA will have a significant impact on manufacturers due to a wide range of digital products that would be subject to penalties in case of noncompliance. The Cybersecurity Strategy states that the commission will “consider a comprehensive approach, including possible new horizontal rules to improve the cybersecurity of all connected products and associated services placed on the Internal Market” (Section 1.5, An Internet of Secure Things). The CRA imposes obligations on manufacturers to meet security requirements (described in Appendix 1) covering design, development, and production; assess cybersecurity risks and take into account the results during design, development and production; and include the results of risk assessment in the technical documents at the time of launch (Article 10). It also requires manufacturers to report to European Network and Information Security Agency (ENISA) within 24 hours after they find any actively exploited vulnerabilities (Article 11). If a manufacturer fails to comply with these obligations, it must pay fines of up to 15 million euros, or 2.5 percent of its total worldwide annual gross revenue—whichever is higher (Article 53).
Placing insecure software products on the market exposes society to cyber risks. However, if a new system is introduced without well-thought-out practices or measures, it could result in placing an excessive burden on manufacturers. Creating SBOMs, a catalogue of software components, will improve transparency and allow users to respond quickly to vulnerabilities. The draft CRA prescribes that creating SBOMs is one of the obligations (Appendix 1). Also, the United States’ EO directs the secretary of commerce to publish minimum elements of SBOMs. The National Telecommunications and Information Administration (NTIA) released a document in July 2021 that describes the minimum elements for SBOMs based on this EO. As described in this document, the minimum elements of SBOMs are a starting point. Exactly what should be included in SBOMs and how to use such data to improve cybersecurity are still under development. It seems too early to introduce SBOMs into legislative requirements. The process for developing SBOMs should include the private sector.
Japan is also debating policies to better secure IT products and services. One idea under discussion in a working group led by the Ministry of Economy, Trade and Industry (METI) is to introduce a security conformity assessment system for IoT products. The draft of an interim summary published in March 2023 identified the issues to be discussed for introducing a new system, such as the range of applicable products, conformity standards, and the schemes adopted by the system. The draft also mentioned the importance of collaboration with the United States, European Union, and other countries. Based on this draft, further development will be conducted in Japan.
The following points should be considered when considering systems to shift internet security liability to manufacturers:
- Clarify applicable products and services and responsible parties. Digital products and services include multiple software products and are then assembled into final products distributed to the market. The strengthening of cybersecurity depends on the user environment where the end products or services are deployed. Who would reasonably bear the liability for security, for which components, and in which circumstances? It is also necessary to clarify the definition of “manufacturers” or “providers.”
- Develop enforcement measures. The European Union is considering a strict method for establishing penalties in the event of noncompliance. In the United States, liability is basically determined in contracts, but if a software producer does not align with best practices, it could bear certain liability despite the limitation of liability stipulated in contracts. To implement stricter measures such as penalties, it is necessary to clarify the standards to be observed. In addition, if such standards are not economically reasonable, they will place an undue burden on manufacturers and may lead to their withdrawal from the market. It would be premature to prescribe obligations and potential penalties for things such as SBOMs, where the necessary tools and practices are still under development. Safe harbor measures should be considered when introducing new regulations in legislation. Software providers would be incentivized to meet new security requirements included in legislation if it includes exemptions from penalties for those that follow the regulations.
- Harmonize standards with other related rules. Even within the European Union, both the draft CRA and the Network and Information Security 2 (NIS2) Directive prescribe incident reporting. But each regulation has slightly different definitions of the entities that should report and the incidents to be reported. This raises a concern that multiple reporting obligations for similar events may result in duplication of information and confusion. It would be important to prevent overlap among regulations, and to harmonize them with systems in other countries.
There is no silver bullet against cyber threats. Cyber threats evolve day by day. To take countermeasures against such threats, continuous security measures should be taken. The United States, European Union, and Japan are each developing their cybersecurity policies, but there are notable differences. It is important to refer to each other’s best practices, and coordinate policies among countries to increase the resilience of cyberspace but not hinder global technology development. Cybersecurity policies that support both resilience and innovation will help generate products and services that can build a secure and prosperous IT society.
Mari Kumano was a visiting fellow with the Japan Chair at the Center for Strategic and International Studies from Fujitsu, Ltd. (May 2022–April 2023).