Success of National Cybersecurity Strategy Rests on Swift Action
Just a week after the White House unveiled its long-anticipated National Cybersecurity Strategy, a pair of incidents—a breach at DC Health Link that may have exposed the personal data of members of Congress and a warning that hackers were exploiting old vulnerabilities in VMware—underscored the importance of shoring up cybersecurity defenses and demonstrated that no one is immune to potentially devastating threats.
The newly released National Cybersecurity Strategy has put tech companies, namely software developers, in the hot seat, bearing the brunt of the responsibility for cybersecurity and shining a spotlight on open source developers in particular.
In addition to plotting out how the Biden administration will shore up security against online threats, the strategy also made clear that the White House wants lawmakers to act to make software vendors liable if they don’t secure their offerings.
“The 2023 Cybersecurity Strategy makes clear that the Biden Administration will work with Congress and the private sector to create liability for software vendors, sketching out in broad terms what such legislation should entail, stating ‘we must begin to shift liability onto those entities that fail to take reasonable precautions to secure their software while recognizing that even the most advanced software security programs cannot prevent all vulnerabilities,’” noted Kaniah Konkoly-Thege, chief legal officer, SVP government relations, chief compliance officer, Quantinuum.
A number of the provisions are aimed at open source developers and software makers. “We must rebalance the responsibility to defend cyberspace by shifting the burden for cybersecurity away from individuals, small businesses and local governments and onto the organizations that are most capable and best-positioned to reduce risks for all of us,” the White House said in a release.
The strategy “will rebalance the responsibility for managing cybersecurity risk onto those who are most able to bear it,” Kemba Walden, acting national cyber director, reiterated in a press briefing cited by CNBC.
“For open source software, the question the National Cybersecurity Strategy raises is ‘Who is going to do the work to ensure open source code meets the new government guidelines?’ Especially since volunteer open source software maintainers often lack the time and incentives to do the work,” said Donald Fischer, cofounder and CEO of Tidelift.
“Government and industry won’t be able to solve this issue through policy alone,” said Fischer. “Instead, the solution is that organizations must work directly with the open source maintainers who create this software to ensure they have the tools and incentives they need to complete this necessary work.”
The new strategy features a number of sections aimed at open source software, according to Tidelift’s Fischer, including shifting liability for cybersecurity away from consumers.
Going forward, expect the federal government to play a stronger role when it comes to open source. “In partnership with the private sector and the open source software community, the federal government will also continue to invest in the development of secure software, including memory-safe languages and software development techniques, frameworks and testing tools,” the White House said.
The White House strategy proposes to increase government regulation and mandatory requirements for all software applications, Tidelift noted. “For organizations using open source in their applications, now is the time to begin looking closely at the components they use in their open source software supply chain to better understand the cybersecurity practices followed by the open source maintainers behind those components,” the company said.
But the plan also proposes safe harbor for those organizations that follow best practices to develop software securely, Tidelift pointed out. “To begin to shape standards of care for secure software development, the administration will drive the development of an adaptable safe harbor framework to shield from liability companies that securely develop and maintain their software products and services,” the White House said. “This safe harbor will draw from current best practices for secure software development, such as the NIST secure Software Development Framework.”
“Even amid surging cybercrime, shifting the cybersecurity burden to software developers and tech solution providers may seem an unduly harsh move. However, economically speaking, it makes perfect sense,” said Ilia Kolochenko, founder of ImmuniWeb and a member of the Europol Data Protection Experts Network.
“Software vendors will certainly argue that they will be required to raise their prices, eventually harming end users and innocent consumers,” he said. “This is, however, comparable to carmakers complaining about “unnecessarily expensive” airbag systems and seatbelts, arguing that each manufacturer should have the freedom to build cars as it sees fit.”
The multipronged cybersecurity scheme aims to bolster the nation’s security posture by defending critical infrastructure; disrupting and dismantling threat actors; shape market forces to drive security and resilience; investing in a resilient future and forging international partnerships to pursue shared goals.
“This strategy continues a trend of a more activist federal government pushing cybersecurity forward. Within the last 12 months or so, you can see increased announcements and initiatives from CISA, as an example, that foreshadowed something broader,” said Craig Burland, CISO, Inversion6. “The pillars build on existing ideas and cybersecurity principles–defend critical infrastructure, support the nation’s collective defense and embrace security by design. That last item has been discussed in solution development forums for years, but hasn’t become a norm for producers.”
It is the latest in a series of guidance offered by the Biden administration over the last two years, which included a 2021 executive order in the wake of the Colonial Pipeline breach aimed at shoring up the U.S. cybersecurity posture.
“In late 2022, we had specific guidance from the U.S. White House Office of Management and Budgets in memorandum M-22-18, specifically requiring that federal agencies only use software provided by software suppliers who can attest that they’re taking specific government specified secure development practices into account,” said Fischer.
“Those practices are very clearly enumerated in a set of standards put forth by the National Institute of Standards and Technologies (NIST). It’s driving action in the marketplace by federal agencies that are seeking to satisfy this requirement and by private industry organizations who do business with the federal U.S. federal government (and other national governments), which are most large companies,” said Fischer. “Most large businesses, enterprises, have some kind of customer base in the public sector and it raises this really hard question: How do you attest about a bunch of, not just hundreds, but often thousands of open source components that you’re importing from public code repositories?”
Many security pros were delighted with the White House strategy—almost giddy. But they were also quick to point out that the plan is not the end of the journey nor is it even close.
“We applaud the administration’s focus on critical infrastructure and national defense cybersecurity. Our national defense is at risk without a sound and comprehensive cybersecurity strategy supported by a pragmatic operational plan that brings together the public and the private sectors,” said Fortress Information Security CEO and Co-founder Alex Santos.
“The Cybersecurity Strategy is a good first step toward a new means of tackling our challenges, but we need to move quickly as time is not on our side,” said Santos. “This national imperative requires bold action and commitment to make this a home run. We have done it before, most recently with CHIPS Act to secure supply chains for the semiconductor industry.”
But Santos and his cohorts would “like to see more,” he said. “More funding in the National Defense Authorization Act. More strict adherence to deadlines. More incentive for industries to band together to share critical risk and vulnerability information. More collaboration and partnership between government and hardware and software providers. More focus on the most critical industries–defense, utilities and transportation. More support for existing cybersecurity initiatives like Critical Infrastructure Protection standards and the North America Energy Software Assurance Database.”
How effective the White House strategy will be remains to be seen. “The real test will come in the pronouncements that follow. A strategy by itself won’t compel companies to change how they invest. This strategy is a shot across the bow that signals tougher standards are coming,” said Burland. “How those manifest themselves will be fascinating to watch. Will the administration try to enact laws with associated fines? Will they pressure industry groups to do self-improvement? Can they become a catalyst for real change and help get cybersecurity past the tipping point where best practices are the only accepted practices?”
