Mar 07 2023

Dropping SBOMs on the Private Sector

Last week, the Biden Administration released a new National Cybersecurity Strategy. It proposes new cybersecurity regulations and protections for critical infrastructure, increases efforts to disrupt cybercriminal activity, and improves cooperation with our allies and partners around the world. These are logical extensions of efforts from previous years and previous administrations.

The big new idea is a goal of shifting economic incentives from the end user, frequently small or medium sized businesses, to software companies that originated the software that was hacked. The way to do that would be through legal liability, and that would require Congressional action. Even if the idea could be pushed through the current Congress, a dubious proposition given the split control of the Houses, it would be very tricky do so in a manner that doesn’t damage business’ ability to create new software products.

Poor legislation could be more damaging than no legislation.

Whether or not it goes anywhere, the idea is out there and it’s already getting into practice. If you’re a large or small software developer, make sure you incorporate good DevSecOps practices in your software development before the government makes you do it against your will.

Photo by Hack Capital on Unsplash