- The White House announced a new U.S. National Cybersecurity Strategy – a wide-ranging plan to defend the nation, its businesses, and citizens from cyberattacks.
- The strategy addresses the software industry in several ways, including a call for rules to make companies liable for their products’ security vulnerabilities.
- The cybersecurity policy is expected to translate into concrete security improvements as it is codified into legislation, directives, and regulations.
President Biden’s comprehensive new National Cybersecurity Strategy is drawing praise and attention in the software industry. In the coming months and years, government and industry will collaborate on the critical details of how this high-level agenda should be implemented, including how it will apply to software.
U.S. cybersecurity strategy to act on 5 fronts
Announced in early March 2023, the strategy is built on five pillars, with implications for the software industry including:
- Pillar I: Defend critical infrastructure. Notably, this pillar extends to include providers of cloud services and software-as-a-service.
- Pillar II: Disrupt and dismantle threat actors. Private sector companies in the software and other sectors would engage with government agencies in “collaborative disruption operations … on a continuous basis.”
- Pillar III: Shape market forces to drive security and resilience. This pillar also singles out the makers of software products and services, proposing to make them legally liable for security vulnerabilities.
- Pillar IV: Invest in a resilient future. The software industry’s current skills shortage would be addressed as part of plans to develop a diverse and robust national cyber workforce.
- Pillar V: Forge international partnerships to pursue shared goals. A collaborative effort to secure global software supply chains figures in this pillar of the strategy.
The strategy also incorporates previous directives that have heightened cybersecurity standards for U.S. government agencies and their contractors, as well as pipeline operators and transportation companies.
Software industry faces regulation
The U.S. government, industry, and citizens face an ongoing wave of cybercrime, and administration officials say that voluntary measures to stop it have fallen short. “We need to make a fundamental shift if we want to do better,” Jen Easterly, Director of the Cybersecurity and Infrastructure Security Agency (CISA), said as the strategy was being announced.
Regulation will be a tool in achieving this aim, Easterly said. To date, the government has largely applied mandatory minimum cybersecurity standards through federal procurement requirements on government agencies and their contractors. It has also issued directives addressing targeted sectors such as transportation. The national strategy calls for expanding this approach to new sectors, including cloud computing.
As currently foreseen, rules would mandate secure-by-design principles, leveraging existing cybersecurity frameworks such as those developed by the National Institute of Standards and Technology (NIST). Regulators would also develop compliance assessment and audit procedures, which suggests penalties for non-compliance.
Initiatives include liability and testing requirements
Another tool being called up is software liability. “Companies that make software must have the freedom to innovate, but they must also be held liable when they fail to live up to the duty of care they owe consumers, businesses, or critical infrastructure providers,” the strategy says.
Easterly gave a sense of how the government would heighten liability, pointing to the practice in the industry of releasing technology products and services into the market with security vulnerabilities that are later patched. Instead, she said, “Technology must be purposefully developed, built, and tested to significantly reduce the number of exploitable flaws before they are introduced into the market for broad use.”
The National Cybersecurity Strategy calls for greater software security testing to help counter the present situation, in which, as the strategy states, “software makers are able to leverage their market position to fully disclaim liability by contract, further reducing their incentive to follow secure-by-design principles or perform pre-release testing.” Later, the document stipulates that the government will invest in the development of secure software, including in software security testing tools.
CISA is also advancing the use of a software bill of materials (SBOM) under which software releases would be accompanied by a list of their open-source components and other code dependencies. The aim is to help customers make more informed decisions about risks associated with the software, such as potential security vulnerabilities.
The National Cybersecurity Strategy is clear in its call for mandatory requirements: “While voluntary approaches to critical infrastructure cybersecurity have produced meaningful improvements, the lack of mandatory requirements has resulted in inadequate and inconsistent outcomes.” Crucially, the document highlights the need for systematic and effective software security testing as a key requirement for increasing resilience in the face of continued cybersecurity threats.