The White House has released its National Cybersecurity Strategy, which envisages a much greater role for US software vendors and tech providers in combatting the growing number of cyber threats.
Published 3 March 2023, the strategy sets out the Biden administration’s plan to make two fundamental shifts in how the US approaches cyber security.
The first shift entails much closer collaboration between government and industry, with the strategy noting that organisations with the requisite expertise and resources should be the ones to shoulder the burden of dealing with cyber threats.
“Our collective cyber resilience cannot rely on the constant vigilance of our smallest organisations and individual citizens,” it said. “Instead, across both the public and private sector, we must ask more of the most capable and best-position actors to make our digital ecosystem secure and resilient.”
It added this would include various national and federal cyber security bodies or initiatives, as well as a wide range of private actors: “The federal government [will] also deepen operational and strategic collaboration with software, hardware and managed service providers with the capability to reshape the cyber landscape in favour of greater security and resilience.”
Biden previously signed an Executive Order in May 2021 to harden America’s cyber defences, with a big emphasis on public-private partnerships and information sharing, which was described at the time by the administration as “the first of many ambitious steps” to modernise the US’ cyber defences.
He later signed a new cyber security incident reporting mandate into law in March 2022, making it a legal requirement for operators of critical national infrastructure to disclose cyber attacks to the US government.
On top of rebalancing the responsibility for defending cyber space, the strategy also aims to realign incentives to favour long-term investment, so that the US can make its cyber space “more inherently defensible and resilient” in the future.
“We must ensure that market forces and public programmes alike reward security and resilience, build a robust and diverse cyber workforce, embrace security and resilience by design, strategically coordinate research and development investments in cyber security, and promote the collaborative stewardship of our digital ecosystem,” it said.
To achieve these two “fundamental shifts” in the US cyber security approach, the strategy outlines five pillars: defend critical infrastructure; disrupt and dismantle threat actors; shape market forces to drive security and resilience; invest in a resilient future; and forge international partnerships to pursue shared goals.
In terms of the private sectors role, the White House said on a fact sheet that these pillars would entail enabling public-private collaboration to work at the necessary speed and scale; engaging the private sector I threat actor disruption activities; and diverting liability for security failures to software companies
It added that, more generally, the White House will work to expand the use of minimum cyber security requirements; modernise federal networks and incident response policies; promote the privacy and security of personal data; and strategically employ “all tools of national power” to disrupt adversaries.
The strategy would be implemented by the National Security Council (NSC) in coordination with the Office of Management and Budget (OMB)and the Office of National Cyber Director (ONCD), which will be tasked with making annual reports to the president and congress on the strategy’s efficacy.
Brian Fox, co-founder chief technology officer at software supply chain management company Sonatype, who contributed to the development of the strategy, praised the strategy’s move to ensure vendors have greater liability for cyber security risks.
“Log4shell was the impetus for calls to action for better software supply chain security by governments worldwide,” he said, adding the strategy is a “landmark moment for the industry” that signals a nuanced understanding of today’s threat landscape.
“Market forces are leading to a race to the bottom in certain industries, while contract law allows software vendors of all kinds to shield themselves from liability…the strategy aptly starts by taking away vendors’ ability to disclaim any and all liability, while recognising that even a perfect security process can’t guarantee perfect outcomes.”
He added that the strategy also moves to hold companies that collect massive amounts of information, and then leave that information open to attackers with little recourse, to account.
“Without regulation changes, the ramifications of these types of breaches can be huge for consumers, while the resulting lawsuits amount to a rounding error and a cost of doing business for these companies,” he said. “Changing the dynamics of accountability is the only way to drive the proper outcomes. But it’s just the beginning of a much larger conversation.”
Michael McPherson, senior vice-president of security operations at ReliaQuest, also welcomed the strategy, saying it “affirms the whole-of-government approach to partner closely with the private sector to impose maximum impact on the adversary”.
“Ultimately, the US government wants to degrade the adversary’s ecosystem and impose consequences for their illicit activities,” he added. “Agencies like the FBI will continue to play a leading role in coordinating efforts and driving these disruption operations. While there will be enormous challenges for collaborating with the private sector, this strategy outlines it is imperative to national security.”