Long-time readers may recall my advocacy for this proposed change to the law insofar as software warranties, or lack thereof, go, as reported by Jim Dempsey of UC Berkeley Law School:
Well, they’ve done it. The Biden administration’s new National Cybersecurity Strategy takes on the third rail of cybersecurity policy: software liability. For decades, scholars and litigators have been talking about imposing legal liability on the makers of insecure software. But the objections of manufacturers were too strong, concerns about impeding innovation were too great, and the conceptual difficulties of the issue were just too complex. So today software licenses and user agreements continue to disclaim liability, whether the end user is a consumer or an operator of critical infrastructure. With this new strategy, the administration proposes changing that.
The strategy’s discussion of the issue starts with an incontrovertible point: “[M]arket forces alone have not been enough to drive broad adoption of best practices in cybersecurity and resilience.” Indeed, the strategy goes on to note, market forces often reward those entities that rush to introduce vulnerable products or services into our digital ecosystem. Problems include the shipping of products with insecure default configurations or known vulnerabilities and the integration of third-party software with unvetted or unknown features. End users are left holding the bag, and the entire ecosystem suffers, with U.S. citizens ultimately bearing the cost. [Lawfare]
The analogy drawn to the early days of the auto industry was fascinating as well, as its history of which I was unaware.
Another reason to be happy with the Biden Administration.