AttackFeed by Joe Wagner | If consequences matter, they should apply to vendors, too  - CyberScoop

If consequences matter, they should apply to vendors, too  – CyberScoop

Posted on By Greg Otto
Attack Feeds

Washington has rediscovered consequences. Just not consistently.

The March 6 executive order rests on a simple, correct idea: cyber-enabled fraud persists because it is profitable, scalable, and too often tolerated. So the government’s answer is to raise the cost. More coordination. More disruption. More prosecutions. More diplomatic pressure on the states that shelter these operations.

Good.

But weeks ago, an OMB Memo rescinded earlier federal software supply chain memos issued during the Biden administration. In practice, that pulled back from the prior attestation-centered model and made tools like the Secure Software Development Attestation Form and SBOM requests optional rather than durable expectations.

Put plainly, we are getting tougher on the people exploiting digital systems while getting softer on the conditions that make those systems so easy to exploit.

The executive order gets something important right. Cyber-enabled fraud is not a collection of random online annoyances. It is an industrialized form of predation: ransomware, phishing, impersonation, sextortion, and financial fraud that’s run as repeatable business models, often transnational and sometimes protected by permissive states. The order responds with a more centralized federal posture built around disruption, coordination, intelligence sharing, prosecution, resilience, and international pressure.

That is directionally correct. Criminal ecosystems do not retreat because we publish better guidance. They retreat when the cost of doing business rises.

But then we arrive at software.

The critique of the old federal assurance regime is not entirely wrong. Compliance can become theater. Bureaucracies are very good at turning legitimate security goals into rituals of form collection and checkbox management. Some skepticism was warranted. OMB says as much explicitly, arguing the prior model became burdensome and prioritized compliance over genuine security investment.

Still, the failure of bad compliance is not proof that accountability itself was the problem.

That is where the logic breaks. The administration is clearly willing to believe that criminal actors respond to deterrence. It is willing to use prosecutions, sanctions, visa restrictions, and coordinated pressure downstream. But upstream, where insecure technology shapes the terrain those criminals exploit, the theory suddenly changes. There, we are told to trust discretion. Local judgment. Flexible, risk-based decisions.

Sometimes that is wisdom. Often it is just a more elegant way of saying no one wants a hard requirement.

This is also why my own position has not changed. In a post I wrote in 2024, I argued that the industry did not need softer expectations or another round of polite encouragement. It needed more concrete action and consequences strong enough to change incentives. The problem was never that we were demanding too much accountability. The problem was that insecure software remained too cheap to ship.

That is the deeper issue. Cybercrime at scale does not thrive only because criminals exist. It thrives because the environment rewards them. Weak identity systems, brittle software, sprawling dependency chains, poor visibility, and diffuse accountability all make predation cheaper. The people who ship avoidable risk rarely absorb the full cost of it. Everyone else does.

So these two policy moves, taken together, reveal something uncomfortable. The government seems to believe in consequences for cybercriminals, but not quite in consequences for insecure production. It wants deterrence for the scammer, but discretion for the supplier.

A coherent cyber strategy would do both. It would aggressively disrupt criminal networks and also create meaningful pressure for secure-by-design production and procurement. It would recognize that punishing attackers matters, but so does changing the terrain that keeps making attack profitable.

The administration is right about one thing: cybercrime will not shrink until the costs of predation rise.

The unanswered question is why that logic should stop at the edge of the scam center.

Brian Fox is the co-founder and CTO of Sonatype.

The post If consequences matter, they should apply to vendors, too appeared first on CyberScoop.

  –

Read More  – CyberScoop 

You may also like

AttackFeed by Joe Wagner | How to Cut MTTR by Improving Threat Visibility in Your SOC  - Hackread – Cybersecurity News, Data Breaches, AI and More
Attack Feeds
How to Cut MTTR by Improving Threat Visibility in Your SOC  – Hackread – Cybersecurity News, Data Breaches, AI and More
February 26, 2026
AttackFeed by Joe Wagner | Senators seek answers about hackers obtaining sensitive student data from ostensibly anonymous tip line  - CyberScoop
Attack Feeds
Senators seek answers about hackers obtaining sensitive student data from ostensibly anonymous tip line  – CyberScoop
April 27, 2026
AttackFeed by Joe Wagner | Spy agency officials say job loss anxiety, moving fast ‘safely’ among top challenges in AI workforce overhaul  - CyberScoop
Attack Feeds
Spy agency officials say job loss anxiety, moving fast ‘safely’ among top challenges in AI workforce overhaul  – CyberScoop
April 28, 2026
AttackFeed by Joe Wagner | CVE-2026-20841: Arbitrary Code Execution in the Windows Notepad  - Zero Day Initiative - Blog
Attack Feeds
CVE-2026-20841: Arbitrary Code Execution in the Windows Notepad  – Zero Day Initiative – Blog
February 19, 2026