New National Cybersecurity Strategy Will Require Compliance, Collaboration
The Biden administration’s recently released National Cybersecurity Strategy goes beyond the executive order it issued in 2021, which defined security measures any organization doing business with the federal government must follow.
As our white paper details, the strategy shifts cybersecurity liability “away from individuals, small businesses, and local governments, and onto the organizations that are most capable and best-positioned to reduce risks for all of us.”
This shift places the onus squarely on “those entities that fail to take reasonable precautions to secure their software,” with the recognition “that even the most advanced software security programs cannot prevent all vulnerabilities,” the strategy said.
The reason for this, the administration explained in the document, is that “companies that make software must have the freedom to innovate, but they must also be held liable when they fail to live up to the duty of care they owe consumers, businesses or critical infrastructure providers.”
The policy also reiterates the importance of a Software Bill of Materials – or SBOM – in the effort to secure open-source components, which are increasingly used in software development. The administration will encourage more development of SBOMs to further incentivize adopting secure software development practices. The strategy also mentions plans to develop a process for identifying and mitigating the risk of widely used unsupported software.
Beyond encouraging the implementation of SBOMs, the strategy has several lofty, if necessary goals. Specifically, it calls for the government, agencies and businesses to:
- Set necessary cybersecurity requirements in critical regulated sectors to close gaps
- Accelerate tech modernization and replace legacy systems with more secure technologies
- Require greater accountability from tech stewards
- Implement a national cyber workforce and education strategy
- Partner with “like-minded states” on a common digital ecosystem
- Develop legislation that creates a level playing field so that companies will not have to struggle to invest in cybersecurity
The Proof is in the Pudding—Or How it’s Implemented
But industry observers rightly point out that a lot has to happen for the strategy’s objectives to take hold. Brandon Pugh, the policy director for the cybersecurity and emerging threats team at R Street Institute, a nonprofit, nonpartisan, public policy research organization, characterizes the administration’s strategy as ambitious. While acknowledging that it contains several areas that would improve the country’s cybersecurity posture, he believes there are “areas of concern and others that need clarity.”
Pugh and others point out that the key to the success of the new strategy will depend on how the measures will be implemented and putting metrics in place to gauge their effectiveness.
“For example, it is one thing to call for harmonizing and streamlining regulation, but another to ensure it is actually done,’’ Pugh said in a statement. “This is especially important when the administration is looking to add new requirements and asking industry to take on more in the cyber realm.”
Citing the measures for incident and breach reporting, “there are at least two dozen federally issued requirements,’’ Pugh said. “This can result in a compliance nightmare and even limit the goal of improving our cyber posture.”
In terms of the recommendation that legislation be enacted to shift liability to manufacturers and software providers, there will be challenges and many questions that need to be addressed first, Pugh said.
During a recent press call to discuss the new strategy, a senior administration official admitted that the current political environment makes the likelihood of legislation in the near future unrealistic – and more like a decade out.
In the meantime, Pugh expressed hope for greater collaboration with stakeholders as the strategy is implemented. We share that hope as well.
For a deeper dive into the tenets of the cybersecurity strategy, read Rezilion’s white paper on the new National Cybersecurity Strategy today.
