Software companies must be held liable for British economic security, say MPs

A lack of liability for software vendors is among the most pressing issues putting Britain’s economic and national security at risk, an influential committee of lawmakers warned on Monday.

The report by the Business and Trade Committee says economic threats facing the United Kingdom are “multiplying — and, in the years ahead, will grow exponentially” leading to “a huge increase in the private ownership of public risk.”

While calling on the government to take action to manage these threats more broadly, the committee identified three specific measures to address cybersecurity risks: “introducing liability for software developers, incentivising business investment in cyber resilience, and mandatory reporting following a malicious cyber incident.”

The report follows a series of cyber incidents in the U.K., including a cyberattack on Jaguar Land Rover (JLR) which the committee’s chair Liam Byrne described as a “cyber shockwave ripping through our industrial heartlands.”

The attack on JLR, as well as a spate of ransomware incidents affecting grocery retailers, “highlighted not just the disruptive impact, but also the potential public costs, of increasingly frequent cyberattacks,” warned the committee’s report. 

Software liability

Since the industry’s early days, software has been sold to users either as a service or as licensed intellectual property — not as a product with traditional liability standards for defects.

Supporters of the current system — including the Business Software Alliance (BSA) trade association, which includes  Microsoft, Oracle and Amazon Web Services among its membership — have lobbied against introducing a liability regime by arguing it would damage the economy by stifling business’s ability to innovate.

Critics of the status quo, including National Cyber Security Centre’s (NCSC) chief technology officer Ollie Whitehouse, argue that the current system is already causing economic damage.

The issue, as Whitehouse explained earlier this year, is the economic concept of a negative externality: a cost “caused by one party, but financially incurred or received by another,” such as a factory emitting dangerous pollutants. The current situation externalizes the cost of insecurity onto the users of the software, rather than internalizing it by forcing the developers to accept the costs of designing better software.

“The reality is that in 2025, we know how to build secure products and services,” Whitehouse said. A liability model would push the cost currently borne by society back onto the companies themselves, rather than allow those companies to profit from the systemic risks their insecure products disburse throughout society.

Despite some interest in the idea in the U.S. under the Biden administration, President Donald Trump has signaled a dislike of the concept — signing an executive order earlier this year scrapping requirements for software companies who sell to the government to attest their products are secure.

Read more: The struggle for software liability — inside a ‘very, very, very hard problem’

Alongside its work in the U.S., the BSA also lobbied to change the liability regime being introduced in the European Union’s Cyber Resilience Act. Although the law does not create an EU-wide civil liability regime, it introduces the power for European regulators to fine companies who fail to develop secure software up to 2.5% of their global turnover.

The British government maintains a software security code of practice through the NCSC but compliance with that code of practice remains voluntary. The committee recommended that the government require that companies follow the code as a matter of law, with enforcement agencies able to levy penalties against firms that fall short of the rules.

Investment and mandatory reporting

The committee’s other recommendations take aim at different market failures. It notes how “upgrades to software and other IT services are often now made via payments to subscription services rather than one-off purchases,” meaning they are not eligible for tax relief, and calls on the government to amend its capital allowances regime to provide for this.

Richard Horne, the NCSC’s chief executive, told the committee how “unfortunately, many cybersecurity features (such as multifactor authentication) are deemed ‘premium add-ons’; functionality that involves additional cost for organisations.”

Although the report’s recommendation aims to address the tax implications of this, the widespread market practice of providing basic security features as a paid-for service is often criticised within the cybersecurity community.

Rob Chahin, the maintainer of a website called the SSO Wall of Shame that catalogues software vendors who limit the single sign-on mechanism to enterprise clients, warns: “Many vendors charge 2x, 3x, or 4x the base product pricing for access to SSO, which disincentivizes its use and encourages poor security practices.”

The committee also reported the British government lacks an accurate understanding of the scale of cyberattacks on the private sector. It called on the government to consult on proposals for the reporting of all malicious cyber incidents, not just the mandatory reporting of ransomware attacks that is currently being considered. 

“The UK Government will not be able to confront the threat posed by cyberattacks without an accurate understanding of the scale of the problem. Currently large British companies are not required to report cyberattacks. This is detrimental to national economic security,” the report said.

“A full picture of these incidents is essential to not only the Government, but also to industry, helping both to better understand evolving threats and mitigations.”