The aspirational movement to shift responsibility for security in technology products and services to manufacturers and vendors is a core pillar of federal cyber authorities’ efforts outlined in the national cyber strategy.

“Many proponents of this shift argue that developers and manufacturers understand their products the best, and are also the centralized entity to issue patches, updates and other servicing solutions,” Amy Chang, resident senior cyber fellow of cybersecurity and emerging threats at R Street Institute, said via email.

This incident also highlights the “downstream impacts of vendors who had little recourse to remediate the effects of compromised software,” Chang said.

There should be repercussions for companies that fail to remediate known vulnerabilities, Chang said. But “to punish any company who fails to foresee consequences of vulnerabilities that have yet to be discovered or exploited would be unfair and have the potential to hamper innovation.”