The White House today announced a new national cyber strategy, laying out a vision for shoring up the cybersecurity of critical infrastructure sectors through baseline security requirements and re-aligning more responsibility for cyber risks to big tech companies.
The strategy also envisions using federal procurement as a major tool for improving accountability for cybersecurity in products and services.
Kemba Walden, the White House’s acting national cyber director, said the strategy “fundamentally re-imagines America’s cyber social construct,” noting how cyber risks typically flow down to individuals, small businesses and local governments.
“It will re-balance the responsibility for managing cyber risk on to those who are most able to bear it,” Walden said in a call with reporters.
Shape market forces to drive security and resilience
Invest in a resilient future
Forge international partnerships to pursue shared goals
An implementation plan is in the works to provide further detail on how agencies will carry forward the ideas in the strategy. The Office of the National Cyber Director is expected to coordinate implementation of the strategy, with oversight from the National Security Council and the Office of the National Cyber Director.
A senior administration official said a public version of an implementation plan will be released publicly in “the coming months.”
Critical infrastructure requirements
The strategy for securing critical infrastructure, as many had predicted , relies on regulations and requirements to “support national security and public safety.”
Anne Neuberger, the deputy national security advisor for cyber and emerging technology, said the strategy “codifies” a shift that’s already well underway.
“We recognize that we need to move from just a public-private partnership, information sharing approach, to implement minimum mandates,” Neuberger told reporters. “Information sharing and public-private partnerships are inadequate for the threats we face when we look at critical infrastructure.”
The strategy still lauds the need to “scale” public-private partnerships. It also calls for making investments in the various sector-risk management agencies (SMRAs).
“Investment by the Federal Government in building out the capabilities of SRMAs will enable security and resilience improvements across critical infrastructure,” the strategy states. “SRMAs will coordinate with [the Cybersecurity and Infrastructure Security Agency] to improve their ability to be proactive and responsive to the needs of their sectors.”
The Biden strategy envisions shaping market forces to drive more cybersecurity accountability in the tech sector through several strategic objectives, including the development of secure Internet of Things devices. It notes work that’s already underway to advance IoT security labels for certain networked products.
It also calls for shifting liability for insecure products and services to software vendors.
“Companies that make software must have the freedom to innovate, but they must also be held liable when they fail to live up to the duty of care they owe consumers, businesses, or critical infrastructure providers,” the strategy states. “Responsibility must be placed on the stakeholders most capable of taking action to prevent bad outcomes, not on the end-users that often bear the consequences of insecure software nor on the open-source developer of a component that is integrated into a commercial product.”
The White House plans on working with Congress and the private sector to develop software liability legislation. Cybersecurity and Infrastructure Security Agency Director Jen Easterly has advocated for such legislation in recent days as well.
“Any such legislation should prevent manufacturers and software publishers with market power from fully disclaiming liability by contract, and establish higher standards of care for software in specific high-risk scenarios,” the strategy states.
A senior administration official noted the White House sees shifting liability for poor software security as a “long term process.”
“When we think about this strategy, we’re looking out a decade,” the official said. “And so our anticipation is that we will need to begin this process working with industry to really establish what better software development practices look like, work to implement those, work to articulate those, and then work with industry and Congress to establish what some kind of liability shield for the adoption of those practices would look like.”
“But we don’t anticipate that this is something where we’re going to see a new law on the books within the next year,” the official added.
John Miller, senior vice president of policy, trust, data and technology at the Information Technology Industry Council, said the idea of re-balancing responsibility “has merit,” but added, “we should tread carefully” in not shifting too much responsibility on software developers, for instance.
“I think re-calibrating liability, or at least responsibility, makes a lot of sense,” Miller said. “But I don’t think we want to over index and create too much liability on one group of entities, either.”
Using federal purchasing power
The strategy also lays out an objective to “leverage federal procurement to improve accountability,” noting that “contracting requirements for vendors that sell to the federal government have been an effective tool for improving cybersecurity.”
“Continuing to pilot new concepts for setting, enforcing and testing cybersecurity requirements through procurement can lead to novel and scalable approaches,” the cyber strategy states.
It also highlights the Justice Department’s Cyber Civil-Fraud Initiative as a key backstop for enforcing federal contracting requirements.
“When companies make contractual commitments to follow cybersecurity best practices to the federal government, they must live up to them,” the strategy states.
The document additionally calls out emerging software security standards, such as Software Bills of Material.
“To further incentivize the adoption of secure software development practices, the administration will encourage coordinated vulnerability disclosure across all technology types and sectors; promote the further development of SBOMs; and develop a process for identifying and mitigating the risk presented by unsupported software that is widely used or supports critical infrastructure,” the strategy states.