Cybersecurity and Infrastructure Agency (CISA) Director Jen Easterly said on Jan. 31 that she favors the establishment of a liability framework to encourage software companies to ensure that their products are secure, particularly in key sectors, like the electricity grid.
“This is both a current problem and a legacy issue,” Easterly told a hearing of the House Select Committee on the Chinese Communist Party. “What is critical is that we start now to develop a regime–and this was part of the National Cyber Strategy–that can hold software makers liable for creating defective technology because, frankly, I believe if we had something like that and that was put in place at the dawn of the Internet and when software was developed, we would not be in a world where the Internet is full of malware and software is rife with vulnerabilities. We need a software liability regime that’s based on a measurable standard of care but also safe harbor for those software developers who do responsibly innovate by prioritizing security–not speed to market, not cool features.”
“That’s a place where Congress could be incredibly helpful,” she said. “We’ve also been working directly with industry…to put a priority on secure by design software as well as international partners. We need to ensure that individual consumers are also aware that they need to be asking for products that are secure by design and not defective. We are making things too easy for our adversaries.”
The 2018 Trump administration’s cyber strategy lacked such a corporate liability policy. The Biden administration’s National Cybersecurity Strategy, released in March last year, pledged that the administration would work with Congress and industry “to develop legislation establishing liability for software products and services.”
“Any such legislation should prevent manufacturers and software publishers with market power from fully disclaiming liability by contract, and establish higher standards of care for software in specific high-risk scenarios,” the strategy said.
During the Jan. 31 hearing, FBI Director Christopher Wray told the committee that Chinese hackers would still outnumber FBI cyber specialists more than 50 to 1, if the agency directed all of its cyber specialists and intelligence analysts to focus on China, but Army Gen. Paul Nakasone, the head of U.S. Cyber Command said that U.S. companies give the U.S. a technological edge.
The People’s Republic of China (PRC) “has a bigger hacking program than every other major nation combined,” Wray said at the hearing. “In fact, if each one of the FBI’s cyber agents and intelligence analysts focused exclusively on the China threat, China’s hackers would still outnumber FBI cyber personnel by at least 50 to 1.”
Testimony from Nakasone and Easterly asserted that China would try to sow havoc in the U.S. by disabling electrical power, oil and gas, and transportation systems in order to depress U.S. will to defend Taiwan as a prelude to a Chinese invasion of the island.
In response to a question from Rep. Bob Wittman (R-Va.) on what makes the Chinese cyber threat unique, Nakasone replied, “Responsible cyber actors of democracies like our own do not target the civilian infrastructure.”
“There’s no reason for them to be in our water,” Nakasone said of Chinese hackers. “There’s no reason for them to be in our power. This is a decision by an actor to actually focus on civilian targets. That’s not what we do.”
Yet, in response to a follow-up by Wittman on deterring Chinese hacking through communicating to China the means that the U.S. has for overwhelming offensive cyber attacks, Nakasone said, “We do have the capability, and we’re very, very good–the best.”
“We communicate it in many different ways from our policy makers who have these discussions, to the exercises that we conduct, to the real world examples that we do with a series of different partners,” he testified. “We have discovered what they’re doing, and we’ve exposed it. The partnerships that exist between our agencies and our commands concern the Chinese. It’s the work with the private sector that gives us scale. They may have 50 to 1, but when we have the private sector we outnumber them.”
Nakasone did not specify in his response whether U.S. offensive cyber attacks would solely target Chinese military targets or civilian ones as well.