Leaders of the Cybersecurity and Infrastructure Security Agency (CISA) recently advocated for cybersecurity being the “responsibility of every CEO and every board,” and the former National Cyber Director argued for a new “social contract,” in which government and large firms take on more of the cyber defense burden. These sentiments align with the National Cyber Strategy that will likely favor stronger mandates and responsibility directed at private sector entities. At the same time, some policymakers are contemplating changes to Section 230, a federal law pertaining to online content. When the nation’s cyber leaders are asking private companies to do more, it is critical to avoid steps that make it harder for companies to protect users. But that is exactly what changes to Section 230 could do.

The federal law in question is 47 U.S. Code § 230, or simply “Section 230.” At a basic level, it allows an online platform to host and remove user content without becoming liable for said content. Before the creation of Section 230, platforms had a “moderator’s dilemma” in order to avoid liability for moderating content: leave up all content to avoid liability or remove all content that was even potentially concerning. The law solved the dilemma by allowing platforms to remove potentially harmful content without becoming liable for things they may have missed. Some want to see more content removed, whereas others think that too much is already being taken down. This post is not aimed at taking a stance on that balance, but rather to explore the nexus between Section 230 and cybersecurity, which is critical to keep in mind as the law’s future is considered.

Section 230’s intersection with cybersecurity

Not all content and information is the same and it can be viewed more expansively to include malicious computer programs. Let’s take the example of a bad cyber actor transmitting harmful malware to other users over a platform. Without Section 230, platforms again have the moderator’s dilemma: leave the malware on the platform and be protected from liability (putting aside other consequences), or remove it and open themselves to liability for any other malware on the platform. Under Section 230, the platform can remove that malware, and any other malware that it is able to find, without incurring additional liability.

This is a core part of Section 230. While platforms should foster strong cybersecurity, they should generally not be liable for the bad actions of others, potentially even nation states. Bad actors are often looking for cyber exploits and trying to evade cyber detection measures. In fact, some cyber measures are not known until they are used. This is evidenced by zero-day exploits, or vulnerabilities that were exploited before a patch was made publicly available, reaching an all-time high in 2021 and affecting a variety of companies. A change to Section 230 could directly set a company up for liability and failure, but at the same time, our cyber leaders are asking private sector companies to do more on cyber. Not only might removing cyber threats open platforms up to liability, but resources that could be spent on defending against them might go to defending against those lawsuits instead.

In addition, many platforms take actions to prevent cyber harm to their users and consumers. For example, platforms can be used by bad actors to spread spam and scams. Spam might be just an annoyance to some, but it has the ability to lead to identity theft and other issues like ransomware. Advanced filtering of this type of material helps reduce the chance of an individual unknowingly clicking on a nefarious link or having it appear in their email inbox in the first place.

This concern goes beyond just spam emails. Security programs can block potentially malicious programs altogether that might be fronts for malware. For example, your anti-virus software might alert you that a program or download is potentially spyware. The average consumer is unlikely to be aware of these concerns. Even if they were, cyber concerns can develop at a moment’s notice as bad actors routinely look for ways to exploit software and hardware.

Changes to Section 230 have the potential to disrupt this cyber-related filtering. Specifically, Section 230 can currently help a company defend against a claim that they wrongfully filtered or removed content under the act’s “Good Samaritan” blocking and screening section. This might be seen if a platform removes a comment used to deliver malware, scammers’ attempts to gather sensitive data through phishing, or malicious files hosted on their platform. Without this protection, a company might err on the side of caution by leaving up content that could lead to negative cyber outcomes. Conversely, a platform might be so concerned about screening potential cyber security threats to avoid liability that they inadvertently screen something that is not a threat. In an era where the United States is looking for the private sector to do more to protect consumers, limiting this type of proactive behavior would do the opposite and could result in more cyber threats. A culture where all parties—from the private sector to the public sector—are united for cybersecurity is the most effective option.

There are also indirect risks at play. For example, liability concerns hit small businesses heavily because they do not have the financial and personnel resources that larger companies do. Many of our cybersecurity vendors either are or were a small business, which has led to cyber offerings and innovations that are relied on by all types of businesses and public entities. It is entirely possible that we might not have the next cybersecurity breakthrough if Section 230 protections are lost or adjusted. This is particularly concerning because many entities outsource their cybersecurity functions fully or partially, which puts these cyber companies directly in the crosshairs and open to suit in the event they fail to stop a bad cyber actor or screen potentially risky content.

The private sector is a critical partner in increasing cybersecurity and protecting consumers, which is more important now than ever with  cyber risks on the rise. When federal cyber leaders are calling for businesses to do more, it is critical that an environment for action and mutual cooperation be fostered in the cyber arena. Making changes to a Section 230 might do the exact opposite.