The White House has released its National Cyber Strategy, outlining how the Biden administration intends to safeguard the US from growing online threats. The plan includes shifting the cybersecurity burden from individuals and small businesses to software developers and other institutions with more resources and expertise. The administration is proposing that legislation should establish liability for software makers who fail to take reasonable precautions to secure their products and services. The legislation would include an adaptable safe harbor framework to protect companies that securely develop and maintain their software products and services. The administration is exploring a national insurance backstop in the event of a catastrophic cyberattack to supplement the existing cyber insurance market. The administration will also focus on defending critical infrastructure, prioritizing cybersecurity research and development, and expanding the cyber workforce.
The plan also includes incentivizing long-term investments in cybersecurity, treating ransomware as a national security threat, not just a criminal issue, and international partnerships to secure global supply chains. The White House said the work has already begun, with President Biden signing an executive order in May 2021 to strengthen the nation’s cyber defenses after the cyberattack on Colonial Pipeline led to widespread fuel shortages. The order created a Cybersecurity Safety Review Board to analyze cyberattacks and make recommendations for future protections. Experts from around the industry sounded off on what the strategy means for members of security of organizations that hold critical data across the private and public sectors. Clar Rosso, CEO of (ISC)2:
“Today’s release of the Biden-Harris Administration’s National Cybersecurity Strategy is a much-needed and welcome step towards building a bigger, more inclusive and effective U.S. cybersecurity workforce.
The National Cybersecurity Strategy is an opportunity for the U.S. to not only enhance its own cybersecurity posture, but to lead and influence globally. It comes at a time when cybersecurity has never been more critical to the economy, as well as to national and global defense and security.
(ISC)2 recognizes that too many segments of society are under-represented in the cybersecurity profession. The sector is missing out on valuable cultures, experiences, approaches and ideas because of this. We are bringing more women, people of color, entry-level professionals, people with disabilities, immigrants to the U.S., members of the LGBTQI+ community and other underrepresented communities into the profession through our One Million Certified in Cybersecurity program. Today’s strategy announcement commits to building on these shared aims, leveraging the existing efforts of several government agencies, state and federal initiatives as well as supporting the proactive efforts of the industry itself.
To achieve this, we need widespread commitment to training and educating consumers and our national workforce, as well as needing more realistic and achievable hiring practices that extend far beyond the U.S. federal government. Collaboration to tackle cybersecurity needs and threats is central to the new strategy, an approach that makes sense. The strategy recognizes that we cannot place the burden of defending cyberspace on the individual and small businesses alone. Larger organizations will be expected to carry more of the responsibility – commensurate with their greater cyber presence – for reducing the risks that impact us all. That includes ensuring that people, supply chains, communications platforms and operational technologies (OT) are more cybersecurity robust from the outset.
Our workforce and infrastructure need to be built equally on a strong cybersecurity foundation, as well as a strong foundation of user trust that users and data will be safe and secure now and in the future. The commitment to invest in cybersecurity resilience, with a particular focus on developing a national strategy to build and strengthen a diverse and robust national cybersecurity workforce is commendable. The strategy recognizes that organizations are trying to hire from too small a talent pool. We welcome that diversity is recognized as a valuable investment that expands the pool, bolsters the nation’s ability to manage and mitigate incidents, develop new skills to protect our digital future and underpin the next generation of cybersecurity research and development. (ISC)2 looks forward to continuing to work with the Office of the National Cyber Director (ONCD) and with legislative and regulatory bodies to execute and deliver the strategic objectives of this strategy.” James Hayes, SVP of global government affairs at Tenable:
Support and focus on the basics + critical infrastructure
The tools and capabilities to protect U.S. businesses and agencies against the vast majority of attacks are well within reach, yet too many organizations are failing to take even minimum steps to protect themselves and their customers. Developers and manufacturers also need to be more accountable in building security into the development of their products and systems in the first place. And the federal government needs to be more accountable in achieving a stronger cybersecurity posture.
Industrial control systems owners and operators need to be more accountable in implementing basic cyber hygiene measures to protect their systems. ONCD and CISA should work with Sector Risk Management agencies to ensure this is done in a coordinated manner.
We are long overdue for baseline cybersecurity requirements for critical infrastructure and time is of the essence. Regulatory action needs to come quickly, needs to have teeth and most importantly, cannot exist in a vacuum. But industrial control system operators cannot wait until the regulations are in place before further investing in their security infrastructure and processes. Forthcoming regulations will at a minimum include CISA’s cross-sector cybersecurity performance goals which critical infrastructure providers should implement now.”
Funding and authority
Finally, the success of the strategy will rely on Congress to properly fund and empower ONCD and CISA in order to help them tackle all of the areas to be addressed. CISA needs to have authority so they aren’t a paper tiger. It will be a priority to drive alignment not only across federal departments and agencies but also with state and local governments and between public and private sectors.” Joshua Corman, former CISA Chief Strategist and current VP of Cyber Safety at Claroty: "CRITICAL INFRASTRUCTURE: The choice to put critical infrastructure at the forefront in Pillar 1 is an important and deliberate one. It’s crucial as the strategy is implemented, that we begin to finally stratify our critical infrastructure functions. I encourage Congress, the White House, CISA, and other parts of government to focus on the most critical of the 55 National Critical Functions—the lifeline, latency-sensitive functions that if disrupted for 24-48 hours could contribute to losses of life or a crisis of confidence in the public. These include: supply water, provide medical care, generate electricity, produce and provide food, etc. Many of the owners and operators of these lifeline functions happen to also be what I’ve called, “target rich, cyber poor”—meaning they are among the most attractive targets for threat actors, with the least amount of resources to protect themselves.
REGULATORY MEASURES: In Pillar 3, which is likely to be the most controversial, the strategy acknowledges market failures and that voluntary free market forces only get you so far (something I’ve told Congress and the last several administrations). To protect the public good, the federal government intends to use its existing authorities to regulate and incentivize better cybersecurity and resilience of the nation’s critical infrastructure. Where it lacks sufficient statutory authorities, it intends to ask Congress for new authorities.
Regulations will comprise a mix of economic carrots, sticks, and instruments. From the importance of software liability (with the promise of crafting safe harbor), to expanding security labels for IoT products, to the continued development of software bills of materials (SBOMs), to insurance backstops, organizations must be incentivized and supported for building secure solutions and products, and the consequences of poor cybersecurity must not fall on those most vulnerable.
CLEAN ENERGY: Among the areas for future investment referenced in Pillar 4, the acknowledgment of clean energy technology as a top priority for cybersecurity investment is an important step. So many of our critical infrastructure challenges come down to the limitations inherent in “legacy technology” where security was an afterthought—if any.
With fresh territory like clean energy, we have a blank slate to build-in security, resilience, and future-proofing from day one. Consequence-driven Cyber-informed Engineering (CCE), secure-by-design, and secure-by-default approaches can better balance the promise and the peril of these promising innovations. As we make a historic investment in clean energy technology and modernize and update our energy infrastructure, we can move beyond fighting the last war. You cannot defend the infrastructure of the future with the tactics of the past.
TALENT SHORTAGE: Finally, while the strategy does discuss the critical need to develop the cyber workforce, we’re hoping the initial critical infrastructure focus of this strategy casts the often-tired topic in a more urgent light. A greater focus should be paid to the requirements and constraints of the OT/ICS workforce. OT has unique hiring and training challenges. For example, it’s not merely finding OT cybersecurity talent, but finding and farming talent to work where our nation’s OT lives. As the strategy is implemented, we hope to help bring fresh thinking and results to this topic." Dr. Christopher Monroe, Chief Scientist and Co-founder of IonQ:
“Right now we are seeing an interesting juxtaposition between hype about quantum computers breaking encryption and resistance to adopting new encryption and security standards. With researchers apparently showing quantum computers can break much larger codes than ever before, FUD is certainly increasing. However, this claim was overhyped, as the researchers did not show any new evidence or break codes that can’t be decrypted with classical computers, FUD is certainly increasing.
We know there is a clean and clear way to break encryption – Shor’s algorithm proved that. But the reality is quantum computing technology won’t be able to perform at a high enough level to implement the algorithm for ten, maybe even twenty years. We know there is a clean and clear way to break encryption – Shor’s algorithm proved that. And although the threat of quantum computing implementing Shor's algorithm is a few years away, infusing quantum-proof algorithms into technology now is a great building block to protecting our national security in the near future."
Josh Lospinoso, CEO and Co-founder at Shift5:
"When you address cybersecurity issues in a wholesale way like this strategy spells out, you start to really encourage the integration of cyber capabilities that will ensure the U.S. maintains its tactical edge over near peer competitors. The policy is very clear eyed about needing to take the burden off the user, the small business, the local government — and very correct that the government and private industry need to keep breaking down barriers to move and innovate at the speed of war."
Brian Fox, CTO and Co-founder of Sonatype:
“Log4shell was the impetus for calls to action for better software supply chain security by governments worldwide. Unfortunately, much of this regulatory action has been focused on the wrong part of the problem, or takes a concentrated approach that is likely to cause more unintended consequences instead of better outcomes. I was fortunate to have an opportunity to review and comment on a draft of the strategy, and support its call for accountability and holistic approach to solving a multifaceted problem. This is a landmark moment for the industry, signaling a nuanced understanding of the threats and complexity of today’s cyber landscape.
Market forces are leading to a race to the bottom in certain industries, while contract law allows software vendors of all kinds to shield themselves from liability. Regulations for other industries went through a similar transformation, and we saw a positive result -- there's now an expectation of appropriate due care, and accountability for those who fail to comply. The strategy aptly starts by taking away vendors’ ability to disclaim any and all liability, while recognizing that even a perfect security process can’t guarantee perfect outcomes. Establishing the concept of safe harbors allows the industry to mature incrementally, leveling up security best practices in order to retain a liability shield, versus calling for sweeping reform and unrealistic outcomes as previous regulatory attempts have.
The strategy also moves to hold accountable companies that collect massive amounts of information and then leave that information open to attackers with little recourse. Without regulation changes, the ramifications of these types of breaches can be huge for consumers, while the resulting lawsuits amount to a rounding error and a cost of doing business for these companies. Changing the dynamics of accountability is the only way to drive the proper outcomes. But it’s just the beginning of a much larger conversation.
Shifting accountability will not prevent bad actors from launching malicious attacks. As organizations move to protect themselves, we must not lose sight of the overall goal–resilience through prevention. Successful security strategies will still depend on preemptive measures and vulnerability management programs.”
Ted Schlein, Founding Partner at Ballistic Ventures:
On defending critical infrastructure: “I would refer to this pillar as the ‘Kumbaya’ section. Implicit is that we will need to figure out better ways to share information, collaborate with that information and coordinate with the outcome of what the information tells us. I agree with the overall sentiment. In fact, I can’t imagine anyone disagreeing. But the reality is that we still have far too many cooks in the kitchen, which leads to making it hard to share, collaborate, and coordinate. There is a reticence to declare this group is responsible for talking with the private sector, that this group is accountable for the defense of our government agencies, etc., and then hold each group accountable for their assignments.”
On dismantling threat actors: “This section to me is about answering the question: How do we overcome our bureaucratic authorities so that we can try and secure ourselves? Again, the root of this section has to do with coordination and collaboration between various stakeholders within the federal government and from the outside. These seams in our systems and authorities are something that our adversaries prey on and take advantage of. In order to do this, we need cooperation from our allies, which is why the Ambassador at Large for Cyberspace and Digital Policy was created in the State Department.”
On preventing abuse of U.S.-based infrastructure: “This is a very important section, but how it gets implemented will determine if it can be effective. Adversaries know the NSA, which is the elite portion of the nation’s cyber defense, cannot monitor U.S.-based infrastructure, so they just use U.S.-based cloud infrastructure to perpetrate their attacks. We have to fix this. I believe some of this section is a bit pollyannaish, as it assumes a bad actor with a desire to do a bad thing will self-identify themselves, as the major recommendation here is around KYC (‘know your customer’).”
On shaping market forces: “This is, in my opinion, the most important and impactful section of the NCSS. It’s basically saying that if you make software, create infrastructure to host it, and store data, you are responsible for being a responsible security steward and you will be held liable to enforce this to happen. Why this is so revolutionary is because the entire software industry has basically been built having no liability for what they deliver, security included. This has to happen. How it’s implemented and enforced is key to whether it will be successful… They discuss penalties if a company does not adhere to these standards, yet they do not discuss a benefit. If all there are are penalties, it will pit the technology vendors, the private sector, and the various regulatory bodies against one another rather than being on the same side…. Section 3.5 leverages federal procurement to improve accountability. I’m a big fan of using purchase orders to drive the behavior you want.”
On investing in a resilient future: “This section is about how we can use taxpayer money to do what the private sector will probably do better. I’m being a little snarky here as I am not a fan of the federal government trying to pick technology that needs to be invested in. Overall, I’m a big fan of an increase in basic R&D to universities to work on certain areas that we believe are vital to our national security. I’m just a little suspect of how much money would be allocated here and who would do the allocating.”
On forging international partnerships to pursue shared goals: “I think this is an obvious one. Cybersecurity has no borders, so the more we can do with our allies, the safer we will all be. For this, I’m very happy for Nate Fick’s role as Cyber Ambassador. I could see a version of NATO’s Article 5 being designed for cybersecurity so that if one of our allies suffers a cyber attack then the perpetrator is facing a response from everyone. The idea is to create significant deterrence. Today the U.S. does not view a cyber attack in the same way it views a kinetic attack. Thus, we will encourage more cyber attacks as they are safer to execute for our adversaries and our responses, while they can be meaningful, and far less than a response for a kinetic incursion that results in the same damage.”