5 Things To Know On The White House’s National Cybersecurity Strategy

While the sweeping Biden administration strategy addresses a number of different components of the modern cyberthreat and defense landscape, the focus on holding vendors accountable for producing vulnerable products could be one of the biggest areas of change and controversy.

National Cybersecurity Strategy

The Biden administration has released its much-awaited National Cybersecurity Strategy, and there’s a lot to digest. The 39-page strategy spans issues of critical infrastructure security, disruption of threat actors, investments in cyber resilience and international partnerships around cybersecurity. Arguably though, the most revolutionary — and potentially contentious — section of the strategy is sandwiched right in the middle of it: “Shape Market Forces to Drive Security and Resilience.”

Of the five “pillars” in the strategy, that one could generate the most debate because of the implication that technology vendors will be held more accountable for the security of their products in the future. A White House strategy in itself doesn’t have the power to make corporations do anything differently, but it does serve as a signal of where things may be headed on the legislative and regulatory front — which in itself can sometimes cause changes as businesses work to get out ahead of potentially inevitable actions by the government.

What follows are five things to know on the “shape market forces” pillar of the White House’s National Cybersecurity Strategy.

Background

Anyone who’s been following the comments from federal cybersecurity officials shouldn’t be surprised to see a focus in the National Cybersecurity Strategy on holding technology vendors to greater account if they produce vulnerable products. In particular the leadership of the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has been vocal on the issue. Last fall, for instance, CISA Director Jen Easterly said during the Mandiant mWISE conference that “we have accepted this strange cultural norm where software and technology comes off the line just rife with vulnerabilities.” Looking ahead, she said at the time, “I think we need to expect more and really demand more from our technology providers.” With this approach, “we have put the burden on the least capable and the least knowledgeable about the threat to defend themselves, as opposed to [on] the technology providers.” Ultimately, Easterly said she was issuing a “call to action for technology vendors to be much more focused on secure by default.”

Earlier this week, she echoed the sentiments in remarks at Carnegie Mellon University, and even got a little more specific about who she was talking about: “While it will not be possible to prevent all software vulnerabilities, the fact that we’ve accepted a monthly ‘Patch Tuesday’ as normal is further evidence of our willingness to operate dangerously at the accident boundary” — referring to Microsoft’s monthly released of patches for scores of vulnerabilities. (The “accident boundary,” she noted, is “the point of maximum risk that organizations can tolerate beyond which you have an ‘accident,’ like an intrusion.”)

How The White House Is Framing It

In the White House’s fact sheet on the National Cybersecurity Strategy, the Biden administration framed things this way in terms of shaping market forces: “We will place responsibility on those within our digital ecosystem that are best positioned to reduce risk and shift the consequences of poor cybersecurity away from the most vulnerable in order to make our digital ecosystem more trustworthy.”

Earlier in the memo, the administration said that its overall goals with the strategy include “shifting the burden for cybersecurity away from individuals, small businesses, and local governments, and onto the organizations that are most capable and best-positioned to reduce risks for all of us.”

Shifting Liability For Security

In the strategy itself, the White House said that “we must begin to shift liability onto those entities that fail to take reasonable precautions to secure their software.” Though at the same time, it’s important to still recognize that “even the most advanced software security programs cannot prevent all vulnerabilities,” the administration said.

“Companies that make software must have the freedom to innovate, but they must also be held liable when they fail to live up to the duty of care they owe consumers, businesses, or critical infrastructure providers,” the White House said in the strategy. “Responsibility must be placed on the stakeholders most capable of taking action to prevent bad outcomes, not on the end-users that often beat the consequences of insecure software nor on the open-source developer of a component that is integrated into a commercial product. Doing so will drive the market to produce safer products and services while preserving innovation and the ability of startups and other small- and medium-sized businesses to compete against market leaders.”

Markets Impose ‘Inadequate’ Costs For Vulnerabilities

The White House states plainly in the National Cybersecurity Strategy that “markets impose inadequate costs on - and often reward - those entities that introduce vulnerable products or services into our digital ecosystem.”

“Too many vendors ignore best practices for secure development, ship products with insecure default configurations or known vulnerabilities, and integrate third-party software of unvetted or unknown provenance,” the strategy says. “Software makers are able to leverage their market position to fully disclaim liability by contract, further reducing their incentive to follow secure-by-design principles or perform pre-release testing. Poor software security greatly increases systemic risk across the digital ecosystem and leave American citizens bearing the ultimate cost.”

Safe Harbors / Next Steps

In the strategy, the Biden administration pledged to “work with Congress and the private sector to develop legislation establishing liability for software products and services.”

“Any such legislation should prevent manufacturers and software publishers with market power from fully disclaiming liability by contract, and establish higher standards of care for software in specific high-risk scenarios,” the strategy says. In order to start re-shaping “standards of care” for development of software, the administration said it will “drive the development of an adaptable safe harbor framework to shield from liability companies that securely develop and maintain their software products and services. This safe harbor will draw from current best practices for secure software development, such as the NIST Secure Software Development Framework. It also must evolve over time, incorporating new tools for secure software development, software transparency, and vulnerability discovery.”

To add further incentives toward adopting secure software development processes, the White House said it will “encourage coordinated vulnerability disclosure across all technology types and sectors; promote the further development of SBOMs [software bills of material]; and develop a process for identifying and mitigating the risk presented by unsupported software that is widely used or supports critical infrastructure.”

Meanwhile, in collaboration with the private sector and the open-source software community, the federal government “will also continue to invest in the development of secure software, including memory-safe languages and software development techniques, frameworks, and testing tools.”