Coker: ONCD is studying ‘liability regimes’ for software flaws

National Cyber Director Harry Coker said Wednesday that his office has begun work to hold software manufacturers accountable when they “rush code to market,” saying the ONCD is working with academics and legal experts to develop different “liability regimes.”

The cybersecurity of software, an element of the National Cyber Strategy released last March, was a focus for Coker during a speech delivered before an audience of corporate technology executives at a conference hosted by the Information Technology Industry Council (ITI).

Coker’s speech was short on specifics other than on the topic of the dire need to bolster the cybersecurity of software.

He said his office is focused on the “open research problem of software measurability that makes it difficult to understand the quality of code that we use.”

ONCD is also heavily focused on “pushing” government and private sector coders to “ensure secure by design incorporates memory safe programming languages.”

“Some of the most dangerous vulnerabilities that criminals look to exploit are memory safety bugs and memory safe coding languages,” Coker said.

He added that these vulnerabilities have existed for years but are not being included in production because “developers have been slow to adopt it.”

Coker said ONCD will release a paper in the next few weeks addressing both memory safety and software measurability.

Echoing last week’s Congressional hearing with FBI Director Christopher Wray and Cybersecurity and Infrastructure Security Agency Director Jen Easterly, Coker warned that China is actively working to access U.S. critical infrastructure systems in an effort to “disrupt our military's ability to mobilize and the systems that allow us to thrive in our increasingly digital world.”

On Wednesday, the FBI and several other agencies published an advisory warning that China-linked hackers are pre-positioning for “destructive cyberattacks” aimed at critical infrastructure.

Coker stressed that the private sector will be vital to defending America from cyber attacks.

“As we all know, the vast majority of critical infrastructure in our nation is owned and operated by the private sector,” Coker said. “How do we collectively leverage the amazing technologies you all create, which improve the ways we work, live and play, and ensure that they are a source of strength, not just a vulnerability to your company but also to the federal government?”