US announces far-reaching 5-point cybersecurity strategy
Includes measures to shift more liability for breaches onto big tech vendors
The US government yesterday released a five point National Security Strategy designed to shore up the nation's digital infrastructure, including placing more responsibility on vendors to ensure their products are secure and realigning incentives to favour long-term investment in countering emerging and future threats.
Defend critical infrastructure
The first "pillar" of the strategy concerns bolstering critical infrastructure, much of which is in private hands, by expanding security requirements, improving collaboration between public and private bodies, and encouraging individual states, departments and agencies to work through Congress to close any gaps.
Included in this is streamlining and harmonising regulations, and providing fincial support to regulated industries that might struggle to comply. It also seeks to build on Biden's previous Executive Order EO 14028 Improving the Nation's Cybersecurity "to defend the federal
enterprise and modernise federal systems in accordance with zero trust principles."
By insisting on high security standards for suppliers to government agencies, the White House wants those standards to trickle down to the broader ecosystem.
Disrupt and dismantle threat actors
The second pillar concerns the US's plans to frustrate and go after attackers. "Our goal is to make malicious actors incapable of mounting sustained cyber-enabled campaigns that would threaten the national security or public safety of the United States," the document says.
This includes building on past successes in arresting cybercrime suspects, fostering international cooperation and taking down financial infrastructure that supports ransomware gangs. It also calls for more coordination between public and private sectors, in areas such as threat intelligence.
"The private sector has growing visibility into adversary activity," the document says. "This body of insight is often broader and more detailed than that of the Federal Government, due in part to the sheer scale of the private sector and its threat hunting operations, but also due to the rapid pace of innovation in tooling and capabilities."
Shape market forces to drive security and resilience
The third pillar is perhaps the most radical, as it calls for direct government intervention in making vendors more responsible for their products, rather than passing that responsibility down to end users and small businesses.
Its intention was telegraphed by recent statements by CISA director Jen Easterly who said "We have accepted this strange cultural norm where software and technology comes off the line just rife with vulnerabilities."
In a separate statement, she pointed to Microsoft's monthly retrospective patching regime as an example of these unwanted norms. "While it will not be possible to prevent all software vulnerabilities, the fact that we've accepted a monthly Patch Tuesday as normal is further evidence of our willingness to operate dangerously at the accident boundary."
The National Security Strategy says: "We must begin to shift liability onto those entities that fail to take reasonable precautions to secure their software."
It continues: "Companies that make software must have the freedom to innovate, but they must also be held liable when they fail to live up to the duty of care they owe consumers, businesses, or critical infrastructure providers.
"Too many vendors ignore best practices for secure development, ship products with insecure default configurations or known vulnerabilities, and integrate third-party software of unvetted or unknown provenance."
Importantly, it transfers responsibility for the security of software modules from the often under-resourced teams who develop them and later see their work adopted in ways they had never planned for, to the software companies that use and monetise their code.
"Responsibility must be placed on the stakeholders most capable of taking action to prevent bad outcomes, not on the end-users that often bear the consequences of insecure software nor on the open-source developer of a component that is integrated into a commercial product," the strategy document says.
Commenting on this section, Amanda Brock, CEO at OpenUK, said "We applaud the clear statement from The White House that open source developers will not be responsible for any commercial usage of their software despite a bold and clear shift in liability to commercial entities distributing software on a commercial basis. Unlike the EU's much criticised Cyber Resilience Act, the White House have got it right.
"We very much hope that the UK will continue along similar lines, having clearly made the same recognition of the importance of open source software and recognition of the unique position of the developer community in their consultation, now under way. Responsibility must be placed on the stakeholders most capable of taking action to prevent bad outcomes, not on the open-source developer of a component that is integrated into a commercial product."
Invest in a resilient future
Pillar 4 is all about "reducing systemic technical vulnerabilities in the foundation of the internet" and making it more resilient against "transnational digital repression".
"The internet is critical to our future but retains the fundamental structure of its past.," it notes. "Many of the technical foundations of the digital ecosystem are inherently vulnerable."
The White House plans to increase R&D activities and tie them into its broader plans, including the rollout of renewable energy infrastructure. In view of the threat to encryption posed by quantum computers, it will also prioritise the "transition of vulnerable public networks and systems to quantum-resistant cryptography-based environments."
The paper details plans to boost the cyber workforce and close the yawning skills gap.
Clar Rosso, CEO of security certification association (ISC)2 welcomed the focus on boosting cyber skills and broadening its outlook.
"The commitment to invest in cybersecurity resilience, with a particular focus on developing a national strategy to build and strengthen a diverse and robust national cybersecurity workforce is commendable," she said.
"The strategy recognises that organisations are trying to hire from too small a talent pool. We welcome that diversity is recognised as a valuable investment that expands the pool, bolsters the nation's ability to manage and mitigate incidents, develop new skills to protect our digital future and underpin the next generation of cybersecurity research and development."
Forge international partnerships to pursue shared goals
The final pillar lays out the US government's intention to work more closely with "like-minded partners" to bolster defences through joint preparedness and response plans and increasing the security and reliability of global technology supply chains.
"We will expand coalitions, collaboratively disrupt transnational criminals and other malicious cyber actors, build the capacity of our international allies and partners, reinforce the applicability of existing international law to state behaviour in cyberspace, uphold globally accepted and voluntary norms of responsible state behaviour in peacetime, and punish those that engage in disruptive, destructive, or destabilising malicious cyber activity," it says.