On Thursday, the White House instituted its National Cyber Strategy, which serves as a roadmap for how the Biden administration plans to protect the United States from dangers online. The strategy would transfer responsibility for cybersecurity from people and small enterprises to those most qualified to reduce cyber risks.
The administration seeks legislation that holds software developers accountable when they don’t take adequate security measures to protect their goods and services. On Thursday, the White House finally unveiled its much-anticipated National Cyber Strategy, which offers a roadmap for how the Biden administration plans to protect the United States from a fast-expanding range of cyber threats.
A critical aspect of the new structure is that software developers and other organizations with the necessary means and skills will take on the duty of cybersecurity instead of individuals, small enterprises, and local governments. Acting National Cyber Director Kemba Walden stated during a news briefing on Wednesday that “the president’s approach radically reimagines America’s cyber social contract.”
It will shift the burden of managing cyber risk to people who can handle it the best. The largest, most skilled, and best-positioned players in our digital ecosystem “can and should take a bigger part of the burden for managing cyber risk and keeping us all secure,” continued Walden. She claimed that it is “unfair” and “ineffective” to place responsibility on people or groups who are unable to protect themselves.
The White House is urging lawmakers to hold software developers accountable for failing to adopt basic security measures for their goods and services. In its draft report, the administration stated that it would collaborate with lawmakers and business leaders to create the legislation’s language, which would contain “an adaptive safe harbor structure” to defend businesses that “securely develop and maintain their software products and services.”
The legislation isn’t anticipated to pass in the coming year. Still, it is instead a component of a longer-term strategy, according to a senior administration official who was not authorized to be named.
In order to augment the current cyber insurance market, the Biden administration declared it would look into a national insurance backstop. Also, it will emphasize safeguarding key infrastructure, streamline rules, and see ransomware as a danger to national security rather than just a criminal problem.
The policy also places more emphasis on encouraging long-term cybersecurity investments, even as it addresses immediate risks. The administration will emphasize cybersecurity research and development for cutting-edge technologies and spend money hiring more cyber professionals.
In order to combat threats and establish safe worldwide supply chains for communications technology and other sorts of equipment and information, the framework also asks for a concentration on international cooperation.
According to the White House, construction has already begun. For instance, in May 2021, President Biden issued an executive order to fortify the country’s cyber defenses. That happened soon after Colonial Pipeline was the target of a hack that caused severe fuel shortages.
The directive instructed IT service providers to alert the government to any cyberattacks that might have an impact on national networks. Also, it established a Cybersecurity Safety Review Council with representatives from the public and business sectors to examine intrusions and suggest improvements for future defenses.
The much-anticipated National Cybersecurity Strategy from the U.S. government was unveiled on Tuesday. It pushes for mandatory rules on companies that provide key infrastructure and approves a more aggressive “hack-back” strategy to deal with foreign attackers.
A statement outlining the plan claims that it will “position the United States and its allies and partners to develop that digital ecosystem together, making it more simply and inherently defensible, robust, and consistent with our principles.”
The five pillars the plan aims to strengthen and develop are as follows: Protect Crucial Infrastructure, Destroy and Destroy Attack Actors Modify, Market Forces to Promote Security and Resilience, Invest in a Future of Resilience and Create International Relationships to Work Toward Common Objectives.
The document calls for a significant shift in liability “onto those entities that fail to take reasonable precautions to secure their software,” noting that “[while] voluntary approaches to critical infrastructure cybersecurity have produced meaningful improvements, the lack of mandatory requirements has too often resulted in inconsistent and, in many cases, inadequate outcomes.”
“We’re pleased to see that the Biden Administration has continued to make cybersecurity a priority with the release of the National Cybersecurity Strategy last week. Businesses and organisations in the US need more clarity, however, to understand how to interpret it and get a handle on how to move forward with it.
“There’s a lot to unpack in the Strategy, but a good place to start is building resilience in cyberspace. This is going to require organisations to lean on innovative technologies that act as alternatives to the traditional layers of security. We see that focusing on threat prevention ahead of detection and response makes good sense in order to improve overall security effectiveness., Technologies that provide isolation, deception solutions or data micro-segmentation could be starting points.”
“The Biden Administration’s national cybersecurity strategy is a step in the right direction toward making a real and lasting impact on building resilience throughout our critical infrastructure. However, having a ten-year strategy simply isn’t effective. We understand so little about technologies like quantum and AI today, it’s hard to imagine what the impact of technology will be on security in ten years. If we’ve learned anything the past few years it’s that breaches are inevitable, so it is essential that organizations, particularly critical infrastructure, reduce their risk to cyberattacks ASAP, not in ten years.”
The need to defend critical infrastructure was top of mind for many in 2022, with both the Colonial Pipeline ransomware attack and multiple attacks on water treatment facilities that continue to reinforce the need for improved protection and resiliency from both state-sponsored actors and individual attackers alike. The White House is calling for new regulation that is not only for critical infrastructure, but sector-specific regulatory frameworks. While the idea of sector-specific frameworks is a good one, these frameworks are not one size fits all and have specific guidance and controls that can be very beneficial. There is a lot of work to be done on defining the sectors, the frameworks, getting buy-in and providing guidance on not just implementation, but how they will be measured and enforced, because a framework with no enforcement is entirely voluntary and runs contrary to the goal of rebalancing the responsibility of defending cyberspace. As we’ve seen as an industry, getting a standard built, especially a collaborative one, can be extremely time-consuming, and the ability for it to become watered down and lack the teeth to drive change is always a risk in the development and refinement process.
An interesting element of the first pillar of the strategy is to create and institute incentives that ensure that low-margin sectors or disincentivized sectors might have the economic support to implement or, at a sector level, may become mandatory across every provider in a sector, reducing the often-seen fight between doing what is right from a security perspective, with the concern that a competitor may forgo those same costs and be able to achieve a lower cost for the market or higher margins. Each of these objectives calls on both industry and government collaboration along with the help of Congress to close any statutory gaps, which again is asking a divided government to do the unpopular task of providing additional regulatory guidance.
An interesting element of the goal of “Scaling Public-Private Collaboration” is to continue to invest not only in the multi-directional sharing of information, but the calls for leveraging of security orchestration to enable real-time sharing to drive threat response. This is the second time the current administrations have called for security orchestration to meet cybersecurity challenges. In the first year of the current administration, OMB sent out memorandum M-21-31 calling for orchestration, automation, and response in response to the SolarWinds breach.
The National Cybersecurity Strategy lays out a lot of great high-level ideas with the goal of modernizing the federal government’s cybersecurity strategy with the understanding that it needs help from across the government and the private sector, but does leave some questions unanswered around the speed and ability to execute inside the windows of an Executive administration and its inevitable changes in leadership that come at a longest in eight-year cycle. Like almost everything in cybersecurity, real progress is not just made with strategy, but in detailed hands-on work.
This strategy continues a trend of a more activist federal government pushing cybersecurity forward. Within the last 12 months or so, you can see increased announcements and initiatives from CISA, as an example, that foreshadowed something broader. The pillars build on existing ideas and cyber principles – defend critical infrastructure, support the nation’s collective defense, and embrace secure by design. That last item has been discussed in solution development forums for years, but hasn’t become a norm for producers.
The real test will come in the pronouncements that follow. A strategy by itself won’t compel companies to change how they invest. This strategy is a shot across the bow that signals tougher standards are coming. How those manifest themselves will be fascinating to watch. Will the administration try to enact laws with associated fines? Will they pressure industry groups to do self-improvement? Can they become a catalyst for real change and help get cybersecurity past the tipping point where best practices are the only accepted practices? Hopefully, one way or another, they can spur real change and make all of our lives safer.
“Even amid the surging cybercrime, shifting the cybersecurity burden to software developers and tech solution providers may seem an unduly harsh move, however, economically speaking it makes perfect sense.
“Software vendors will certainly argue that they will be required to raise their prices, eventually harming the end users and innocent consumers. This is, however, comparable to carmakers complaining about “unnecessarily expensive” airbag systems and seatbelts, arguing that each manufacturer should have the freedom to build cars as it sees fit.
“Most industries – apart from software – are already comprehensively regulated in most of the developed countries: you cannot just manufacture what you want without a license or without following prescribed safety, quality and reliability standards. Software and SaaS solution shall be no exception to that.
“That being said, overregulation or bureaucracy will certainly be harmful and rather produce a counterproductive effect. The technical scope, timing of implementation and niche-specific requirements for tech vendors will be paramount for the eventual success or failure of the proposed legislation. Unnecessarily burdensome or, contrariwise, formalistic and lenient security requirements will definitely bring more harm than good. Therefore, the new legislation shall derive from the intensive and open collaboration of independent experts coming from industry, academia and specialized organizations to ensure a properly balanced regulation that would consider legitimate interests of all concerned parties.”