White House US National Cybersecurity Strategy Seeks to Shift Responsibility for Cybersecurity to Tech Companies
On Thursday, March 2, the White House released its National Cybersecurity Strategy, which rests on five pillars: defending critical infrastructure; disrupting and dismantling threat actors to blunt their threat to national security and public safety; shaping market forces to boost security and resilience; investing in a resilient future through “strategic investments and coordinated, collaborative action;” and forging international partnerships to achieve common goals. The strategy’s initiatives include seeking to place responsibility for cybersecurity to manufacturers rather than end-users, imposing minimum security standards for critical infrastructure operators, and directing the Office of Management and Budget (OMB) to oversee technology modernization at federal civilian agencies.
Two key points in this strategy: (1) Much more talk about regulation, but the US has a very poor record of ever actually passing meaningful federal cybersecurity regulation – witness 20 years of draft national privacy laws that never see daylight; (2) We have seen in the past that the government’s best leverage is through its buying power. To me, the most important thing this strategy says is “We will use Federal purchasing power and grant-making to incentivize security.” But, to be a nattering nabob of negativism: Here’s what President Clinton’s strategy said in 1998: “The Federal Government shall, through its research, development and procurement, encourage the introduction of increasingly capable methods of infrastructure protection.” Changing government procurement rules to require higher levels of security and testing of all products and services the government procures should be easier than getting politicians to agree – we have examples like FIPS 140-1 and FedRAMP of that being true, but need many more.
The much anticipated, National Cybersecurity Strategy has dropped. In many respects it’s a continuation of the 2018 Strategy. The primary differences being regulating critical infrastructure sectors; and, [potentially] shifting the liability burden from consumers to software vendors. On regulation, you can only do so much via executive order. If the strategy is to be fully implemented, the legislative branch will have to be involved. On shifting software liability, defining and measuring ‘secure by design’ is very complicated. Additionally, any liability changes will require action by Congress.
This strategy intends to level the playing field through more specific regulatory requirements to ensure consistent implementation. So long as a risk-based approach remains, this will get us where we need to be. These regulations, and corresponding guidance from NIST and CISA, should be tools the private sector can leverage in planning their cyber strategy. The biggest challenge is going to be how solutions and deployment teams are funded. While mention is made of federal buying power, consideration has to be given to implementation, process engineering, and mortgage costs.
We have to start somewhere but this strategy suggests the difficulty of this problem. We are in far worse shape, heavier reliance on technology, and more vulnerable than we were in the Clinton Administration. One might well like to see a strategy that stressed measurement. To paraphrase Thompson, "If one cannot measure it, one cannot recognize its presence or its absence," and Demming, "If you do not measure it, you cannot improve it."
William Hugh Murray
Read more in
White House: National Cybersecurity Strategy (PDF)
Cyberscoop: Biden’s national cybersecurity strategy advocates tech regulation, software liability reform
Nextgov: National Cyber Strategy Seeks to Shift Burden from Consumers to Tech Firms
Fedscoop: OMB will oversee multi-year plan to rid civilian agencies of legacy tech
Ars Technica: Biden administration wants to hold companies liable for bad cybersecurity
SC Magazine: Biden’s national cyber strategy wants to redirect responsibility from users to manufacturers
Security Week: White House Releases National Cybersecurity Strategy
Gov Infosecurity: US Cybersecurity Strategy Shifts Liability Issues to Vendors