Laws to establish liability for software companies that sell technology lacking cybersecurity protections are being pursued by the Biden administration, which has concluded that market forces alone aren’t sufficient to guard consumers and the nation. Free markets and a reliance on voluntary security frameworks have imposed “inadequate costs” on companies that offer insecure products or services, says a national cybersecurity strategy released Thursday, reports the Wall Street Journal. The plan says the administration would work with Congress and the private sector to create liability for software vendors, sketching out in broad terms what such legislation should entail. “We must begin to shift the liability onto those entities that fail to take reasonable precautions to secure their software while recognizing that even the most advanced software security programs cannot prevent all vulnerabilities,” says the strategy, an interagency product written by the office of the national cyber director. The strategy also advocates developing a more expansive framework of cybersecurity regulations to protect the nation’s critical infrastructure, including energy operators, hospitals, and banks, among others. Any legislation supported by the administration should prevent software makers from avoiding liability by contract and create higher standards for software in specific high-risk situations, the strategy says. The administration would develop an evolving safe harbor framework, borrowing from current best practices for secure software, to shield companies from liability, it adds. President Biden said the strategy “takes on the systemic challenge that too much of the responsibility for cybersecurity has fallen on individual users and small organizations.” Major software companies “can and should shoulder a bigger share of the cyber risk,” said Kemba Walden, acting national cyber director. Hacks of widely used software can be devastating and far-reaching, such as an alleged Chinese cyberattack on Microsoft email software in 2021 that rendered hundreds of thousands of mostly small businesses and organizations vulnerable to intrusion. A senior administration official said the liability push was a “long-term process” that could take many years to develop with lawmakers and industry.