The High-Stakes Blame Game in the White House Cybersecurity Plan

In the endless fight to improve cybersecurity and encourage investment in digital defenses, some experts have a controversial suggestion. They say the only way to make companies take it seriously is to create real economic incentives—by making them legally liable if they have not taken adequate steps to secure their products and infrastructure. The last thing anyone wants is more liability, so the idea has never exploded in popularity, but a national cybersecurity strategy from the White House this week is giving the concept a prominent boost.

The long-awaited document proposes stronger cybersecurity protections and regulations for critical infrastructure, an expanded program to disrupt cybercriminal activity, and a focus on global cooperation. Many of these priorities are widely accepted and build on national strategies put out by past US administrations. But the Biden strategy expands significantly on the question of liability.

“We must begin to shift liability onto those entities that fail to take reasonable precautions to secure their software while recognizing that even the most advanced software security programs cannot prevent all vulnerabilities,” it says. “Companies that make software must have the freedom to innovate, but they must also be held liable when they fail to live up to the duty of care they owe consumers, businesses, or critical infrastructure providers.”

Publicizing the strategy is a way of making the White House’s priorities clear, but it does not in itself mean that Congress will pass legislation to enact specific policies. With the release of the document, the Biden administration seems focused on promoting discussion about how to better handle liability as well as raising awareness about the stakes for individual Americans.

“Today, across the public and private sectors, we tend to devolve responsibility for cyber risk downwards. We ask individuals, small businesses, and local governments to shoulder a significant burden for defending us all. This isn’t just unfair, it’s ineffective,” acting national cyber director Kemba Walden told reporters on Thursday. “The biggest, most capable, and best-positioned actors in our digital ecosystem can and should shoulder a greater share of the burden for managing cyber risk and keeping us all safe. This strategy asks more of industry, but also commits more from the federal government.”

Jen Easterly, director of the US Cybersecurity and Infrastructure Security Agency, had a similar sentiment for an audience at Carnegie Mellon University earlier this week. “We often blame a company today that has a security breach because they didn’t patch a known vulnerability,” she said. “What about the manufacturer that produced the technology that required too many patches in the first place?”

The goal of shifting liability to large companies has certainly started a conversation, but all eyes are on the question of whether it will actually result in change. Chris Wysopal, founder and CTO of the application security firm Veracode, provided input to the Office of the National Cyber Director for the White House strategy.

“Regulation in this area is going to be complicated and tricky, but it can be powerful if done appropriately,” he says. Wysopal likens the concept of security liability laws to environmental regulations. “You can’t simply pollute and walk away; businesses will need to be prepared to clean up their mess.”

The comparison underscores how resistant businesses will likely be to such a transition, though, particularly large, legacy tech companies whose products are used widely around the US and the world.  “Some companies will welcome the strategy more than others,” Wysopal concedes.

Shawn Tuma, a partner in the law firm Spencer Fane who specializes in cybersecurity and data privacy issues, emphasizes that from an industry perspective, “the devil is in the details” on all these proposals. On legal liability, he says the debate comes down to what exactly is meant by “reasonable.”

“We all see the extremes in the continuum—we see the providers that are doing a poor job, that are just throwing stuff out there,” he says. “I’m fine for liability on them, but what about those that are trying to do their best but are engaged in an unwinnable war with well-resourced hackers? What’s ‘reasonable’?”

One point from the strategy that might see more movement is the Biden administration’s proposal for some sort of federal backstop to help stabilize the cybersecurity insurance market. If liability for cybersecurity failures were to shift in any meaningful way, cybersecurity insurance would become even more vital than it already is for tech companies and others who hold sensitive data, like health care firms. But that’s assuming insurance companies will cover cybersecurity incidents at all.

In late December, Mario Greco, CEO of the massive European insurer Zurich, told the Financial Times, “What will become uninsurable is going to be cyber.” The comment, made a day after Christmas, added an edge to an already tense climate in which companies grasp for safeguards and solutions as cybercriminal and nation-state attacks impose rapidly rising costs.

A government backstop like the one the national cybersecurity strategy is proposing could provide crucial reassurances, but Tuma points out that it could also come with strings attached for the insurance industry and its clients. He suggests the US government could mandate that, in exchange for its support, anyone who makes cybersecurity insurance claims would be required to report the incident to the FBI’s Internet Crime Complaint Center. “They need more cooperation from the private sector in reporting these events,” Tuma says.

And this question of how to incentivize all different facets of cybersecurity investment is at the core of what the new White House strategy is grappling with.

“I feel the White House is very serious about this,” Veracode’s Wysopal says. “The public-private partnership around cybersecurity is quite real in the federal government today. That is a welcome change from just a few years ago.”

Read More
Lily Hay Newman

Latest

3 Reasons to Apply for Inc.’s Power Partner Awards

Please enable JS and disable any ad blocker

World Cup betting markets shift after Jordan Henderson’s bizarre celebration injury

Jordan Henderson, the 36-year-old England midfielder, will miss the remainder of the 2026 FIFA World Cup after suffering a serious wrist and forearm injury during post-match celebrations on July 6. He wasn’t even playing when it happened. Henderson was an unused substitute in England’s dramatic 3-2 victory over Mexico in the round of 16. The

Kraken’s World Cup debut and Brazil’s collapse: what crypto gets from the beautiful game

Brazil came into the 2026 World Cup as one of the tournament favorites. They left in the Round of 16, beaten 2-1 by Norway, undone in part by a tactical decision that raised eyebrows across the footballing world: deploying 34-year-old Casemiro as a central striker, a position he hadn’t occupied in years. Haaland scored both

FIFA overturns Balogun’s red card, Trump intervenes for US World Cup match

https://www.nytimes.com/athletic/7424790/2026/07/06/folarin-balogun-red-belgium-explanation/ FIFA’s Disciplinary Committee has overturned the red card suspension of Folarin Balogun, a key player for the U.S. Men’s National Team, allowing him to participate in the upcoming Round of 16 match against Belgium. This decision, made under Article 27 of the FIFA Disciplinary Code, places Balogun on a one-year probationary period, enabling him

Newsletter

Don't miss

3 Reasons to Apply for Inc.’s Power Partner Awards

Please enable JS and disable any ad blocker

World Cup betting markets shift after Jordan Henderson’s bizarre celebration injury

Jordan Henderson, the 36-year-old England midfielder, will miss the remainder of the 2026 FIFA World Cup after suffering a serious wrist and forearm injury during post-match celebrations on July 6. He wasn’t even playing when it happened. Henderson was an unused substitute in England’s dramatic 3-2 victory over Mexico in the round of 16. The

Kraken’s World Cup debut and Brazil’s collapse: what crypto gets from the beautiful game

Brazil came into the 2026 World Cup as one of the tournament favorites. They left in the Round of 16, beaten 2-1 by Norway, undone in part by a tactical decision that raised eyebrows across the footballing world: deploying 34-year-old Casemiro as a central striker, a position he hadn’t occupied in years. Haaland scored both

FIFA overturns Balogun’s red card, Trump intervenes for US World Cup match

https://www.nytimes.com/athletic/7424790/2026/07/06/folarin-balogun-red-belgium-explanation/ FIFA’s Disciplinary Committee has overturned the red card suspension of Folarin Balogun, a key player for the U.S. Men’s National Team, allowing him to participate in the upcoming Round of 16 match against Belgium. This decision, made under Article 27 of the FIFA Disciplinary Code, places Balogun on a one-year probationary period, enabling him

UK Foreign Secretary Warns World Cannot Wait for ‘AI Hiroshima’ Before Acting

UK Foreign Secretary Yvette Cooper has warned that the world cannot wait for an AI equivalent of Hiroshima before acting, urging global powers to build consensus on artificial intelligence (AI) safety principles and standards. Cooper made the case in an essay, positioning Britain to lead international talks on the technology. ...

Business seminar in Munich highlights Hong Kong’s strategic roles amidst global shifts (with photos)

Business seminar in Munich highlights Hong Kong's strategic roles amidst global shifts (with photos) ******************************************************************************************      The Hong Kong Economic and Trade Office, Berlin (HKETO Berlin), promoted Hong Kong's unique advantages and strategic roles at the seminar "Hong Kong's strategic role amidst geopolitical tensions" on June 18 (Munich time) in Munich, Germany.             Senior executives, investors

AI for business services: From job fears to productivity

AI for business services: From job fears to productivity

Business Insurance-AZ Achieves Record Response Times for 2026 Arizona Construction Bids

Business Insurance-AZ achieves milestone response speeds for commercial construction bids across Arizona, accelerating documentation delivery to keep local projects moving forward without delay. Phoenix, AZ, June 06-2026, ZEX PR WIRE — Business Insurance-AZ has achieved record-breaking processing speeds and response times for commercial construction bids throughout Arizona, directly supporting the state’s massive infrastructure and advanced manufacturing boom