Cybersecurity’s Original Sin (Standalone)

The Political Reality — Why Correct Arguments Do Not Always Win, and How to Run This One

Author’s note: Some colleagues read the series and agreed with the basic premise of the articles. They then said “the industry will never change because it’s too entrenched.” Over the years, I sought advice from various mentors, friends,Claude, legal and technical experts on ways to counter this. This article summarizes those thoughts.

---

Parts 1 through 4 assembled the argument. The empirical foundation is documented. The legal framework has three tracks. The OT identity argument is grounded in field doctrine. The dual duty chains are mapped. The rebuttable presumption approach is specified. The series has done what it set out to do: build the most complete and precise practitioner case for software vendor accountability in the public record.

That is not the same as winning. This part is about the difference. And I want to be direct about something before you read it: this part is the weakest element of the series.

I can prove that the SANS Top 10 has persisted for twenty-five years through legal and economic mechanisms. I can demonstrate that OT operates under a different security model and that the authorized control argument changes the accountability rules. I can specify three legal tracks with authorities, limits, and honest acknowledgments of what is established versus what is untested. Those things are proved or specified to a standard a practitioner can use.

What I cannot prove is that the political strategy in this part will work. The secondary pressure model I propose is a list of actors with financial stakes and legal authority. It is not a complete theory of why those actors will coordinate, sustain their effort over a decade, and produce a legislative outcome that prior rounds of advocacy did not produce. The same channels were available before this series was written. I am going to tell you why I think this round is different, and I am going to be specific about which differences are real, which are probably real, and which I cannot demonstrate. That is the standard the rest of this series has held itself to and this part should meet it.

The argument is complete. The political strategy is not. Here is what I know, what I think, and what I cannot prove.

The argument is complete. The industry will not change because the argument is complete. It will change, if it changes, because the cost of not changing eventually exceeds the cost of changing. This part is about how to make that calculation come out right.

7. The Political Reality

7.1 The Shield Was Built With Intent and Is Maintained With Intent

The EULA liability shield was not an accident of legal history. It was constructed deliberately by lawyers who understood products liability doctrine, lobbied into place by industry associations that understood Congress, and embedded in commercial practice by companies that understood that the regulatory frameworks being written in the late 1990s would govern a multi-trillion-dollar industry for decades. The people who built it were not negligent. They were effective.

Understanding this matters because it changes the nature of the reform problem. If the shield persists because of inertia or because legislators do not understand the issue, the solution is education and advocacy. If it persists because a well-funded and well-organized industry has made it expensive to remove, the solution requires a different analysis of power and incentives.

The numbers are documented.¹ The communications and electronics sector which includes Apple, Microsoft, Google, and Meta, spent $585.7 million on federal lobbying in 2024, according to OpenSecrets.² The defense sector spent approximately $191 million in the same period. The technology sector outspends defense on lobbying by more than three to one. Individual companies amplify this:³ Meta spent $19.3 million on federal lobbying in 2023; Amazon spent $19.27 million; Microsoft, Apple, and Google each spent between $9.9 million and $13 million. These are not exceptional expenditures. They are the routine operating costs of maintaining the regulatory environment the industry requires.

⁴ BSA | The Software Alliance whose members include Adobe, Apple, IBM, Microsoft, Oracle, Salesforce, and Siemens has opposed mandatory cybersecurity standards and software products liability in every major legislative campaign since the 1990s. In September 2023, BSA joined with three other major industry associations to send a letter to congressional committee heads arguing against mandatory software bill of materials requirements in a defense bill, characterizing the legislation as premature. ⁵ When the Biden National Cybersecurity Strategy proposed holding vendors liable for insecure software, BSA’s senior director of policy argued publicly that liability would distract companies from “higher-value activities” than fixing vulnerabilities. The Strategy committed the government to develop such legislation in March 2023. Three years later, no such legislation has been enacted.

⁶ The Cyberspace Solarium Commission, established by Congress in 2019, produced recommendations that were almost entirely implemented, with one glaring exception: the proposal to establish legal liability for flawed software. As Lawfare documented in 2023, software liability remained the one Solarium recommendation not acted on, six years after the Commission’s report.⁷ A divided Congress has never sent software products liability legislation to any president’s desk. The pattern reflects the sustained and well-resourced opposition of an industry that has correctly identified liability as the single mechanism most threatening to its business model. They have shaped the language of every cybersecurity framework that has approached mandatory standards: present at the drafting tables for FISMA, for the voluntary NIST CSF, and for CMMC. When CMMC approached real accountability, they lobbied for the self-assessment option that became Level 1, the option that requires no third-party verification and creates no meaningful consequence.

Each channel in the secondary pressure model has independent financial stakes and independent legal authority. None requires the others to act. Independent operation is not the same as a coordinated campaign. A campaign that produces a legislative outcome within a decade requires someone to run it: to track the secondary pressure channels, document industry overreaches as they occur, maintain the legislative language in a state of readiness for the focusing event, and sustain the effort across election cycles and political shifts. This series names the coalition. It does not name the coordinator. That role does not currently exist. Its absence is the most important gap between the argument this series makes and the outcome it seeks.

The EULA shield was built with intent and has been maintained with intent. Overcoming it requires engaging with that intent directly — not assuming that a sufficiently precise argument will produce legislative action on its merits, but building the kind of sustained multi-front pressure that makes the cost of maintaining the shield exceed the cost of reforming it.

7.1a What Is Actually Different This Time

The secondary pressure model in Section 7.2 names five channels that have financial stakes and legal authority to move vendor behavior without federal legislation. Before reading that section, a brief honest inventory of what is genuinely different from prior rounds of advocacy and what is not.

Three things are genuinely different. AI-augmented scanning has materially narrowed the “we didn’t know” defense: vendors can no longer credibly attest to a clean security posture without deploying available scanning tools, and that changes the FCA track and the attestation track simultaneously. The EU Cyber Resilience Act will create a foreign regulatory floor that global technology companies are already building into product architecture. Prior rounds of advocacy pushed against an industry with no mandatory security floor anywhere in its major markets. And the “security by MBA” vocabulary gives internal security advocates a documented framework to cite in the next design review, which is a resource prior advocacy did not produce.

One thing is probably different: six FCA cybersecurity settlements through 2025 create a deterrence profile that did not exist in 2020. Behavior change is probable but not proved. No case has produced a ruling on the merits.

One thing is not yet answered: the coordination problem. The channels were available before this series. What makes a multi-channel campaign different from multiple independent campaigns is a coordinating organization running them simultaneously. That organization does not currently exist. Section 7.4 identifies who should create it and what it must be capable of doing.

7.2 What Has Actually Changed Industry Behavior: The Secondary Pressure Model

The history of software security improvement is not primarily a history of legislative victories. It is a history of secondary pressure accumulating from unexpected directions until the cost of resistance exceeded the cost of compliance. Understanding that history is more useful than modeling the reform on the rare cases where direct legislative action succeeded.

Default credential improvement did not come from federal legislation. It came from California SB-327; from the UK PSTI Act; from the reputational damage of the Mirai botnet, which made the cost of the defect undeniable to consumers and insurers simultaneously; and from insurance underwriters who began excluding IoT devices with default credentials from cyber policies. No federal mandate was required. The cost of the defect became impossible to externalize through four different channels simultaneously, and the industry responded.

Insurance underwriters. The cyber insurance market has already demonstrated the secondary pressure mechanism at operator scale. Between 2020 and 2022, ransomware losses drove premiums up by 50 to 100 percent in some market segments. Insurers responded by imposing underwriting requirements e.g., mandatory MFA, security posture assessments, backup and incident response documentation as conditions of coverage. The mechanism worked exactly as described: insurers imposed requirements, operators implemented them, losses fell. That same mechanism, applied to vendor design architecture rather than operator configuration, is the next stage of the model. The cyber insurance market does not currently price vendor authentication architecture into premiums as a distinct risk category. The SANS Top 10 mapping in this series, combined with the CAIC model and Whittaker taxonomy, gives underwriters the analytical framework to treat vendor design risk as a separately priceable category. When a product ships without adequate authentication and that defect is traceable to a vendor security-by-MBA decision documented in discovery, the insurer who paid the claim has a subrogation interest in holding the right party accountable. AIG, Chubb, and Munich Re have developed vendor security assessment criteria that affect premium pricing. The dual duty chain argument gives them the legal framework for assessing vendor versus operator contribution to loss.

State attorneys general. State AGs have used consumer protection law to impose accountability on technology companies where federal regulation was absent or inadequate. The FTC has used Section 5 of the FTC Act. California’s AG has used the CCPA and the Unfair Competition Law. These actions do not require new federal legislation. They require AGs who understand the SANS mapping and the Whittaker taxonomy well enough to frame vendor design decisions as unfair or deceptive trade practices. This series provides that framework.

Institutional investors. ESG-focused institutional investors have begun treating cybersecurity governance as a material risk factor in equity valuations. When BlackRock, Vanguard, and State Street incorporate vendor security architecture into their proxy voting guidelines, the CFO conversation changes. Vendor design decisions that create liability exposure appear on the balance sheet as contingent liabilities. The CAIC model and Whittaker taxonomy give investment analysts the framework to assess those liabilities.

Foreign regulators. The EU Cyber Resilience Act entered into force in December 2024. The companies subject to it. Amazon, Microsoft, Google, Apple, Cisco, will not build two separate product lines, one compliant for Europe and one non-compliant for the US. CRA compliance will drive global product architecture changes. The US does not need to pass federal legislation to benefit from CRA. It needs to ensure that CRA standards align with the authorized control requirements this series specifies.

Plaintiff’s lawyers. The rebuttable presumption approach in Part 4 does not require legislation. Courts can adopt presumptions on their own authority. A plaintiff’s bar that understands the SANS Top 10 mapping, the Whittaker taxonomy, and the rebuttable presumption theory has a workable litigation strategy for OT physical harm cases that does not depend on a legislative outcome. Each successful case, even at the settlement stage, raises the cost of the design defect and narrows the EULA shield’s effectiveness.

None of these channels requires the federal legislative mandate as a precondition. All of them are more likely to produce measurable behavior change in the next ten years than legislation is. The legislative mandate remains the right long-term instrument. The secondary pressure model is the near-term mechanism.

7.3 The Standards-Lag Objection

There is one industry objection to mandatory standards that is more technically sophisticated than the standard lobbying responses, and it deserves a direct answer rather than dismissal.

The argument: mandatory standards imposed on a legislative timescale will consistently lag behind the actual threat environment. A CISA-administered mandatory OT authentication standard defined in 2028 will be the compliance floor in 2045. Regulators write standards on a legislative timescale. Attackers operate on an exploit timescale. A mandatory floor becomes a false ceiling when the compliance industry persuades operators that meeting the standard is the same as being secure. Security engineers inside the targeted companies raise this concern in good faith. It is not the same argument as the trade association’s cost-outweighs-benefits research.

The counter is not to dismiss the concern but to address the mechanism: the NHTSA model includes a notice-and-comment rulemaking process for updating standards as the threat environment evolves. The floor does not prevent exceeding it. The CAIC model and the Whittaker taxonomy are evidentiary baselines, not ceilings. A vendor who implements authentication architecture that exceeds the minimum standard faces no barrier to doing so and gains market advantage as the standard of care rises. This concern is an argument for including a rulemaking update mechanism in the statute which the NHTSA model already provides, and not an argument against mandatory standards.

It is also worth noting that the current absence of any mandatory standard has not produced a more agile security baseline: the SANS Top 10 has been the compliance floor since 2001 and nothing required it to move. The industry has spent twenty-five years performing the minimum it requires.

7.4 The Coalition That Can Win This and the One That Cannot

The coalition that has typically advocated for software vendor accountability is composed of security researchers, civil society organizations, consumer advocates, and academic institutions. This coalition produces correct arguments. It does not produce legislative outcomes, because it lacks the economic leverage to make the cost of resistance exceed the cost of compliance for the industry.

The coalition that can win this is different. It includes actors with direct financial stakes in the outcome who are not the software vendors.

The cyber insurance industry has paid billions in claims for harms caused by SANS Top 10 defects that vendors shipped and operators could not fix. Munich Re, AIG, and Chubb are not civil society organizations. They are sophisticated financial actors who respond to loss data. The SANS mapping gives them the loss data framework. The dual duty chain gives them the liability allocation framework. Recruit them.

Critical infrastructure operators — water utilities, power companies, hospital systems — have paid remediation costs for OT incidents caused by vendor design defects for decades. The Colonial Pipeline paid $4.4 million in ransom and tens of millions in remediation for an incident that exploited an unpatched legacy system. Dominion Energy, American Water Works, and HCA Healthcare are corporations with legal departments and government affairs teams. They have a direct financial interest in shifting accountability to the vendors whose design decisions created their exposure. Recruit them.

The plaintiff’s bar has a direct financial interest in a litigation theory that produces recoveries in OT physical harm cases. The rebuttable presumption approach, the CAIC model, and the Whittaker taxonomy give plaintiff’s lawyers the theoretical framework. Trial lawyer associations have more political leverage in state legislatures than any academic institution. In states where strict liability for software defects can be established by common law development rather than statute, that is the path of least resistance. Recruit them.

Foreign governments implementing the EU CRA have an interest in global standard harmonization. Divergent standards create compliance costs for vendors operating in both markets. An alignment strategy that uses CRA as the floor for US standards is more politically achievable than a US-originated mandate because the cost of non-compliance has already been set by a foreign regulator. Use the CRA as leverage, not as a parallel.

There is a sixth channel that is the one most likely to be underestimated: internal advocates inside the targeted companies themselves. Inside every major OT software vendor there are security engineers who have raised the authentication architecture problem in design reviews and been told the certification does not require it. Product managers who pushed for audit logging and were overruled on cost. CISOs who flagged SANS Top 10 exposure in internal risk assessments that went nowhere. This is security by MBA: the engineer identifies the defect; the executive whose compensation is tied to ship dates overrules them because the certification does not require it and the cost is not in the budget. The engineer was not wrong. They were overruled because the organizational system rewarded the MBA for overruling them.

External pressure changes the internal calculus. When the FCA enforcement track produces a settlement, it gives internal security advocates something to point to in the next design review. When insurance underwriters start pricing vendor authentication architecture into premiums, it gives product managers a cost argument they did not previously have. When institutional investors ask about vendor security architecture in proxy voting, it gives the CISO’s risk assessment a board-level audience it rarely gets. The external pressure strategy in this section works partly by giving these internal advocates the leverage they have been asking for.

Practically, this means the SANS mapping, the CAIC model, and the Whittaker taxonomy should be published and presented in forums that internal security engineers read and cite: IEEE Security & Privacy, USENIX Security, RSA Conference, and the SANS Institute itself. The goal is not to convert the executives who have been making the cost-versus-liability calculation. It is to give the engineers in those organizations a documented external standard they can cite in internal design reviews when they argue for adequate authentication.

7.4a The Coordinating Organization

The consumer safety movement had Ralph Nader and, after the National Traffic and Motor Vehicle Safety Act passed, the Center for Auto Safety, co-founded in 1970, tracking recall defects and preparing congressional testimony for two decades before mandatory airbag standards passed in 1991. The environmental movement had the NRDC, founded in 1970, filing litigation and building coalitions before the Clean Air Act Amendments of 1990. In both cases, the coordinating organization existed before the legislative victory, not after.

The software vendor accountability reform effort needs an equivalent permanent organization. It requires three non-negotiable capabilities: legal staff who can file FCA qui tam complaints, develop state tort OT physical harm cases, and engage in regulatory comment proceedings; technical staff who can map specific OT incidents to specific SANS defects in specific vendor products, turning incidents into legally actionable cases; and legislative staff who can maintain federal mandate language at bill-level specificity and update it as the technical standard evolves. A case development function that systematically tracks OT incidents against the SANS defect classes is the organizational capability that makes the next focusing event legally actionable rather than merely politically visible. A funding base outside the vendor community is the structural requirement that makes all of it durable across election cycles.

The most likely founders are not civil society advocates. They are the practitioners who have been making this argument from inside institutions, namely, the CISOs who have raised SANS Top 10 exposure in internal risk assessments and been overruled, the security engineers defeated by security by MBA, the higher education security community that built HECVAT. The series is the argument. The organization is what carries the argument forward after this series is published.

The political history also shows that the opposition’s overreaches have produced more legislative movement than the advocacy community’s arguments. GM’s surveillance of Ralph Nader created the congressional hearing that passed the National Traffic and Motor Vehicle Safety Act. Microsoft’s characterization of the Storm-0558 federal email breach as a customer configuration problem produced the Cyber Safety Review Board report that publicly named the company’s security culture as inadequate. The CISA workforce reduction of March 2026 is a potential overreach in formation: a government action that demonstrably reduces the security of the critical infrastructure the reform effort is trying to protect, taken at the same time the industry’s trade associations oppose mandatory standards. If a major OT incident follows and the causal link is documentable, the political narrative writes itself.

7.5 The Focusing Event: Why the Language Must Exist Before It Arrives

Every major cybersecurity legislation passed in the United States followed a major incident: the Homeland Security Act after 9/11, the FISMA reauthorization after the OPM breach, the TSA pipeline directives after Colonial Pipeline. The legislative window opened because an incident made inaction politically untenable, and closed within months when the political salience faded. But the incident alone is rarely sufficient. The more precise pattern is: incident plus opposition overreach plus prepared language equals legislation.

The Thalidomide precedent is the more instructive historical example for this series, because it maps precisely to the operational recommendation that follows. In 1959 and 1960, Senator Estes Kefauver had been investigating the pharmaceutical industry for its pricing, its marketing claims, its resistance to efficacy requirements and had drafted legislation requiring proof that drugs were both safe and effective before market approval. The bill was stalled. The industry had lobbied against it. Congressional leadership was not moving it. Then, in late 1961 and into 1962, the thalidomide catastrophe became publicly visible: thousands of children in Europe born with severe limb deformities from a drug their mothers had taken during pregnancy. In the United States, FDA reviewer Frances Kelsey had refused to approve thalidomide on safety grounds, and that decision looked prescient. Congress moved. The Kefauver-Harris Drug Amendments of 1962 passed 78-0 in the Senate and were signed into law within weeks of the legislative window opening. The bill existed. The window opened. The bill passed.

The lesson for this series is specific: the thalidomide incident did not cause the legislation. The incident opened the window. The legislation existed because Kefauver had drafted it before the window opened. Had the language not been ready, the window would have closed without producing a bill, as focusing events routinely do when the legislative infrastructure is absent. The incident did not even need to be domestic at scale. The US cases were largely prevented by a single FDA reviewer’s caution. What mattered was that the political moment arrived and the language was waiting. This is the most important operational lesson for the software vendor accountability campaign: draft the legislation now, at bill-level specificity, before the focusing event arrives. Not as an advocacy document. As a bill.

The Nader parallel teaches a different and complementary lesson. Ralph Nader’s Unsafe at Any Speed in 1965 was a precise and well-documented indictment of the automobile industry. The book alone did not produce the National Traffic and Motor Vehicle Safety Act. What produced it was General Motors’ response: GM hired private investigators to surveil Nader, attempted to dig up personal information to discredit him, and when that became public, the company’s president was hauled before Congress to apologize. The congressional hearing that followed was not about the book’s argument. It was about GM’s willingness to attack the person making it. GM’s overreach created the political moment that the argument alone could not.

The software industry is capable of the same overreach. The Storm-0558 breach response in which Microsoft initially characterized a significant Chinese intelligence operation against federal email accounts as a customer configuration problem, produced the Cyber Safety Review Board report that publicly named Microsoft’s security culture as inadequate and recommended accountability measures the company’s lobbying posture had been resisting for years. That report is closer to the Nader moment than anything the advocacy community has produced. The reform effort should monitor for the industry overreach that crosses the threshold: the action that is undeniable, attributable, and that a congressional committee cannot ignore without political cost. The documentation for that moment, the SANS mapping, the Whittaker taxonomy, the vendor’s compliance certifications, the security-by-MBA record, should be ready before the incident occurs, not assembled in its aftermath.

The next major OT incident will open the legislative window. It will last six to eighteen months. The outcome of that window will depend on two things: whether the legislative language exists before the window opens, and whether the reform effort can demonstrate a direct line from the vendor’s design decisions to the harm. Both require preparation now.

One clarification before the operational recommendation: AI-augmented scanning is not a focusing event and will not produce one on its own. A focusing event requires a discrete visible incident, a sympathetic victim class legible to a non-technical audience, and a political moment in which inaction becomes more costly than action for legislators. A capability demonstration has none of these. What AI-augmented scanning does is change the legal terrain on which the next focusing event will be litigated. Before it became commercially standard, post-incident congressional testimony could claim the vendor could not have known the defect was there. After it becomes standard, that testimony is no longer available. The reform effort should not wait for AI scanning to produce political momentum on its own. It will not. The reform effort should use it to strengthen the legal and evidentiary case that is ready and waiting when the focusing event arrives.

Draft the legislation now. Not as an advocacy document. As a bill, with section numbers, with cross-references to the legal authorities in Part 4, with the dual prospective and lifecycle-aware framework specified at the level of detail a House or Senate counsel can work with. The NHTSA administrative law model provides the regulatory structure. The CAIC model defines the authorized control standard. The SANS Top 10 provides the specific defect classes. All of the components exist. The bill needs to be drafted.

The reform effort has two parallel tracks running simultaneously. Track One is the secondary pressure model: insurance, state AGs, institutional investors, foreign regulators, plaintiff’s lawyers. These operate continuously and do not require a legislative window. Track Two is the legislative mandate: draft the bill now, build the coalition now, wait for the focusing event, move immediately when the window opens. The two tracks reinforce each other. Secondary pressure raises the cost of resistance before the window opens. The bill provides the vehicle when the window opens.

7.6 A Realistic Timeline

The honest assessment of the timeline for the federal legislative mandate is a decade, not a year. That is not a reason to abandon the effort. It is a reason to structure the effort correctly.

Years 1–2

Establish secondary pressure tracks. Engage cyber insurance underwriters with the SANS/Whittaker framework. Brief state attorneys general on the FCA enforcement theory and the rebuttable presumption approach. Engage the EU CRA implementation process. File FCA cases on the strongest available facts. Draft the federal legislative language.

Years 3–5

Build the critical infrastructure operator coalition. Water utilities, hospital systems, and power companies that have paid for OT incidents caused by vendor design defects are the most credible congressional witnesses. Prepare their testimony. When the next major OT incident occurs, these organizations should be ready to speak within days, with documented loss data tied to specific SANS defects in specific vendor products.

Years 5–10

The legislative window will open. The secondary pressure tracks will have raised the cost of resistance. FCA cases will have established enforcement precedent. State tort cases will have established the rebuttable presumption in at least some jurisdictions. The CRA will have produced global product architecture changes. The legislative language will exist, drafted and ready, waiting for the committee chair who is willing to move it.

A decade seems long. The SANS Top 10 has been unsolved for twenty-five years. A ten-year reform campaign that succeeds is better than another twenty-five years of documented persistence. The question is not whether the timeline is long. It is whether the effort is structured to use the time well.

◆

8. Conclusion to the Series

This series set out to answer two questions. The first: why has the SANS Top 10 persisted for twenty-five years, and who bears responsibility for that persistence? The second: does operational technology change the accountability rules, and if so, how?

Parts 1 and 2 answered the first question. The SANS Top 10 persists not because the fixes are technically difficult or economically prohibitive but because a legal and economic architecture was constructed deliberately to assign the cost of the defects to buyers rather than to the vendors who designed them in. The architecture rests on four pillars: the intangibility problem, the UCC 2-314 warranty disclaimer, advisory patches, and compliance theater. Each pillar is documented. The EULA shield is not a natural feature of the software market. It is a choice, made by identifiable actors at identifiable moments, that has been maintained by sustained organizational effort.

Parts 3 and 4 answered the second question. OT operates under the CAIC security model, not the CIA model the IT security frameworks apply. Control is primary because loss of control in OT is a safety emergency. A vendor who ships an OT control system without adequate authentication has designed a physical control system in which unauthorized physical control is a design feature. That is a Class 3 design defect in Whittaker’s taxonomy. It has been on the SANS Top 10 since 2001. Under strict liability, it is sufficient: defective product, physical harm, vendor accountable. The causal chain is shorter and more direct than in IT cases. The deployment variability defense does not apply to deterministic systems. The foreseeability defense does not apply under strict liability. The three-track legal framework routes around the economic loss rule on every vector.

Part 5 has answered a third question that the series originally avoided: given that the argument is complete, what does it take to win? The answer is that winning requires more than a correct argument. It requires a coalition with economic leverage. It requires a secondary pressure model that operates continuously rather than depending on a single legislative window. It requires legislative language drafted before the focusing event arrives. And it requires honest acknowledgment that the industry will fight this, has fought it before, and has the organizational infrastructure to fight it effectively.

None of that is a reason to give up. It is a reason to be strategic. The SANS Top 10 has been unsolved for twenty-five years because the accountability architecture made insecurity profitable. The reform effort will succeed when it makes insecurity more expensive than accountability. The argument in this series is the foundation for that effort. The political work is what comes next.

The most consequential exploits of the past twenty-five years were not executed in terminal windows. They were drafted by lawyers, ratified by courts, and embedded in license agreements that nobody reads. Changing that requires engaging on the same terrain where it was built: in legislatures, in regulatory agencies, in insurance markets, in courtrooms, and in the boardrooms of the companies that have profited from it. The argument is ready. The work begins now.

References and Sources for Section 7.1

¹ OpenSecrets. (2025, February). Federal lobbying set new record in 2024. opensecrets.org — Communications and electronics sector: $585.7 million in federal lobbying expenditures in 2024.

² OpenSecrets. (2025). Defense Lobbying Profile. opensecrets.org — Defense sector: $190,998,142 in federal lobbying in 2025.

³ Statista / OpenSecrets. (2024, March). Lobbying expenses of leading internet companies in the United States in 2023. Meta: $19.3M; Amazon: $19.27M. See also: Visual Capitalist. (2024, August 26). Ranked: Which U.S. Industries Spend the Most on Lobbying?

⁴ BSA | The Software Alliance. (2023, September 14). Industry letter to congressional committee heads on software security regulations in defense bill. bsa.org

⁵ Cybersecurity Dive / Bloomberg Professional. (2023, March 6). Who is liable for flawed software? cybersecuritydive.com — BSA senior director Henry Young: liability would distract companies from “higher-value activities.”

⁶ Lawfare. (2023). The Securing Open Source Software Act Is Good, but Whatever Happened to Legal Liability? lawfaremedia.org — Cyberspace Solarium Commission software liability recommendation: the one recommendation not implemented.

⁷ Lawfare. (2024, May 14). Incentives for Improving Software Security: Product Liability and Alternatives. lawfaremedia.org — No enacted US statute imposes general product liability for software defects.

⁸ TechPolicy.Press. (2026, April). March 2026 US Tech Policy Roundup. techpolicy.press — CISA reduced from ~3,000 to ~800 staff; critical infrastructure assessments halted.

⁹ Duff, Michael Tran. (2026, April). Surviving the Zero-Day Apocalypse. EDUCAUSE Cybersecurity and Privacy Professionals Conference, Anaheim, California. Remarks paraphrased from conference notes; no published transcript available.

NOTE ON THE ORIGINAL CLAIM: An earlier draft stated that “the technology industry spends more on lobbying than the defense industry.” The corrected and precise statement: the communications and electronics sector spent $585.7M on federal lobbying in 2024 versus $191M for the defense sector. A claim that major associations collectively employ more lobbyists than CISA has total staff was not supportable as written and has been removed.

Appendix: The Software Safety Accountability Project (SSAP)

Section 7.4a identifies the coordinating organization as the single most important gap between the argument this series makes and the outcome it seeks. This appendix specifies what that organization should look like: its name, legal structure, governance, staff categories, funding model, and first-year priorities. It is a proposal, not a founding document. The organization does not currently exist.

Name and Legal Structure

Proposed name: The Software Safety Accountability Project (SSAP). The name deliberately echoes the Center for Auto Safety model: a single-mission nonprofit whose name states exactly what it does. Software Safety is the domain. Accountability is the mechanism. Project signals active campaign rather than think tank.

Legal structure: 501(c)(3) nonprofit. This allows tax-deductible donations from foundations, universities, and individuals; charitable status that protects the funding base from vendor pressure; and IRS restrictions on partisan political activity, which is acceptable because the work is legal and regulatory, not electoral. Do not structure as a trade association (501(c)(6)) since that would invite vendor membership and create exactly the funding dependency the organization must avoid.

Governance

Board of Directors (9-11 members): CISOs from critical infrastructure operators (water, power, hospital systems); academic cybersecurity law faculty; a former state AG or federal prosecutor; a senior cyber insurance executive; a plaintiff’s bar representative. No software vendor employees. No vendor-funded consultants.

Scientific/Technical Advisory Board: SANS Institute researchers, OT security practitioners, academic vulnerability researchers. Provides technical credibility for case development and legislative testimony.

Executive Director: Practitioner background, not academic. The founding CISO profile is someone who has been making this argument inside institutions and been overruled.

Staff Structure and Job Categories

Legal Division (3-5 staff)

Director of Litigation: Senior attorney, False Claims Act and products liability background. Manages qui tam complaint development, coordinates with plaintiff’s bar on OT physical harm cases, leads regulatory comment proceedings.

FCA Staff Attorney (1-2): Identifies federal contractor cybersecurity attestation failures, prepares qui tam filings, manages relator relationships.

Regulatory Counsel: Tracks CISA rulemaking, EU CRA implementation, TSA directives; files regulatory comments; maintains the federal mandate language at bill-level specificity.

Technical Division (3-4 staff)

Director of Technical Research: Senior OT security practitioner. Maps specific incidents to specific SANS defects in specific vendor products, the core case development function. This is the Center for Auto Safety recall-tracking equivalent.

Incident Analyst (1-2): Documents OT incidents against the SANS defect taxonomy, builds the evidentiary record that makes the next focusing event legally actionable. Maintains the incident database.

Vulnerability Research Analyst: Tracks vendor attestation claims against AI-augmented scanning results; develops the factual predicate for reckless disregard FCA claims.

Legislative Division (2-3 staff)

Legislative Director: Maintains the federal mandate bill at bill-level specificity, section numbers, cross-references to Part 4 legal authorities, NHTSA model regulatory structure. Updates it as the technical standard evolves. This person’s job is to ensure the bill exists before the window opens.

Coalition Coordinator: Manages relationships with cyber insurers, state AGs, institutional investor ESG teams, and critical infrastructure operators. Prepares congressional witness testimony for the operator coalition. Keeps the secondary pressure channels coordinated rather than operating independently.

Communications Director: Translates technical and legal arguments into formats legible to non-technical audiences. This is the same problem Frances Kelsey’s story solved for thalidomide and Unsafe at Any Speed solved for auto safety.

Operations (2 staff)

Executive Director: Overall organizational leadership, external relationships, and funding development.

Operations/Finance Manager: Grants management, foundation relationships, annual reporting. Ensures funding independence.

Funding Model

The funding model must structurally exclude vendor revenue. Every source below has financial stakes aligned with the organization’s mission.

Foundation grants: Cybersecurity-focused foundations (Craig Newmark Philanthropies, MacArthur, Ford for tech policy), health system foundations whose members have paid OT incident costs, water utility associations.

University partnerships: Higher education security community who created the HECVAT, through annual membership fees in exchange for legislative monitoring and regulatory comment support.

Cyber insurance industry: Subrogation interest alignment makes insurers natural funders. A modest annual contribution from AIG, Chubb, and Munich Re in exchange for access to the SANS/Whittaker incident database is a credible funding ask.

No vendor funding. Ever. This is the structural requirement that cannot be waived. The Center for Auto Safety has maintained it since 1970. It is non-negotiable.

First-Year Priorities

1. File two FCA qui tam complaints on the strongest available facts. Establishes the enforcement posture, generates relator interest, and demonstrates that the organization is operationally active rather than advisory.

2. Produce the federal mandate bill at bill-level specificity and share it with sympathetic Hill staff in both chambers. The bill needs to exist before the focusing event arrives.

3. Brief three state AGs on the rebuttable presumption theory for OT physical harm cases. State AG actions do not require federal legislation and create immediate deterrence pressure.

4. Publish the SANS/Whittaker incident database in a peer-reviewed forum. Converts the series’ analytical framework into citable external authority that practitioners can reference in design reviews and litigation.

5. Establish the incident tracking function so the next major OT incident is legally actionable within days, not assembled in its aftermath. This is the case development capability that makes the Thalidomide/Kefauver model work: the language exists, the analysis exists, the witnesses are prepared.

This organization is smaller than the NRDC and closer in model to the Center for Auto Safety: single-mission, legally aggressive, technically credible, and funded by the parties who bear the cost of the problem rather than the parties who profit from it. The Center for Auto Safety started with two people and Nader’s seed funding. SSAP needs roughly 10-12 staff at full operational capacity. It is fundable at a budget of approximately $2-3 million annually. It does not currently exist.

END OF SERIES

This article was written with AI assistance (Claude Sonnet 4.6, Anthropic). The structural analysis, historical judgements, legal positions, and policy prescriptions are the author’s own.