The Biden-Harris administration today announced a sweeping new National Cybersecurity Strategy that, among other things, seeks to establish meaningful liability for software products and services and sets mandatory minimum cybersecurity requirements in the critical infrastructure sector.
When fully implemented, the strategy will also strengthen the ability of both federal and private sector entities to disrupt and dismantle threat actor operations and require all entities that handle data on individuals to pay closer attention to how they protect that data.
One key objective of the strategy is for federal regulators to look for opportunities to incentivize all stakeholders to adopt better security practices via tax structures and other mechanisms.
Rebalancing the Responsibility for Cybersecurity
"[The strategy] takes on the systemic challenge that too much of the responsibility for cybersecurity has fallen on individual users and small users," President Biden wrote in the introduction to his new plan. "By working in partnership with industry, civil society, and State, local, Tribal, and territorial governments, we will rebalance the responsibility for cybersecurity to be more effective and equitable."
Biden's strategy seeks to build collaboration and momentum around five specific areas: critical infrastructure protection, disruption of threat actor operations and infrastructure, promoting better security among software vendors and organizations handling individual data, investments in more resilient technologies, and international cooperation on cybersecurity.
Of these, the proposed initiatives around critical infrastructure security and shifting liability to software vendors and data processors could have the most significant impact.
The critical infrastructure component of Biden's strategy includes a proposal to expand minimum cybersecurity requirements for all operators of critical infrastructure. The regulations will be based on existing cybersecurity standards and guidance such as the National Institute of Standards and Technology's (NIST) Framework for Improving Critical Infrastructure Cybersecurity and the Cybersecurity and Infrastructure Security Agency's (CISA) Cybersecurity Performance Goals.
A Focus on Secure by Design
The requirements will be performance based, adaptable to changing requirements, and focus on driving adoption of secure-by-design principles.
"While voluntary approaches to critical infrastructure security have produced meaningful improvements, the lack of mandatory requirements has resulted in inadequate and inconsistent outcomes," the strategy document said. Regulation can also level the playing field in sectors where operators are in a competition with others to underspend on security because there really is no incentive to implement better security. The strategy provides critical infrastructure operators that might not have the financial and technical resources to meet the new requirements, with potentially new avenues for securing those resources.
Joshua Corman, former CISA chief strategist and current vice president of cyber safety at Claroty, says the Biden administration's choice to make critical infrastructure security a priority is an important one.
"The nation has seen successful cyber disruptions in critical infrastructure that have significantly impacted numerous lifeline functions, including access to water, food, fuel, and patient care, to name just a few," Corman says. "These are vital systems that are increasingly suffering disruptions, and many of the owners and operators of this critical infrastructure are what I call 'target rich, cyber poor.'"
These are often among the most attractive targets for threat actors but have the least number of resources to protect themselves, he notes.
Robert DuPree, manager of government affairs at Telos, views congressional support as key to Biden's plans to bolster critical infrastructure cybersecurity.
"The push to impose mandatory cybersecurity requirements on additional critical infrastructure sectors will need congressional authorization in some cases, which in the current political environment is a longshot at best," he said in a statement. "The Republican House majority is philosophically opposed to new government mandates and is not likely to give the Biden Administration such authority."
Holding Vendors Accountable for Software Security
In what is likely to a controversial move, Biden's new national cybersecurity strategy also puts emphasis on holding software vendors more directly responsible for the security of their technologies. The plan specifically shifts liability for insecure software and services to the vendors and away from the end users who bear the consequences of insecure software.
As part of the effort, Biden's administration will work with Congress to try and pass legislation that would prevent software manufacturers and publishers with market power to simply disclaim away liability by contract. The strategy provides a safe harbor for organizations with demonstrably secure practices for software development and maintenance.
"Too many vendors ignore best practices for secure development, ship products with insecure default configurations, or known vulnerabilities," and with insecure third-party components, the strategy document said.
In addition to shifting liability to software vendors, the new strategy also calls for minimum security requirements for all organizations handling individual data especially geolocation and health data.
Support in Congress for efforts to shift liability to software vendors has manifested in fits and starts for over a decade, says Brian Fox, CTO and co-founder of Sonatype. "In 2013, H.R.5793 — Cyber Supply Chain Management and Transparency Act known as the Royce Bill started the conversation around introducing software bills of material (SBOM)," he says.
Ultimately that proposal didn't move forward, but the requirement for all software suppliers to the federal government to produce SBOMs on demand ended up being incorporated in a May 2021 executive order from President Biden, he says. "More recently, we've seen the Securing Open Source Software Act of 2022 working its way through committees. It seems clear that Congress is looking for a way to move the industry forward, and the strategy lays out specific new elements to be considered."
Carrot and Stick
As part of the effort to guide better security behavior, the federal government will use its enormous purchasing clout to get software and service suppliers to contractually adhere to minimum security requirements. It will use grants and other mechanisms — such as rate-making processes and tax structures — to get organizations to invest more in cybersecurity.
Karen Walsh, cybersecurity compliance expert at Allegro Solutions, says if the plan works as intended it could shift corporate mindsets from a "security means penalties" to a "security means attaining rewards" mentality.
"In many ways, this is similar to how the government already offers incentives for clean energy initiatives," Walsh says.
One major focus of the new strategy is on strengthening federal and private sector capabilities to disrupt threat actor operations and infrastructure. The plans include developing a whole-of-government disruption capability, more coordinated takedowns of criminal infrastructure and resources, and making it harder for threat actors to use US infrastructure for cyber-threat operations.
"Dismantling threat actors is unlikely to take place on a broad scale," says Allie Mellen, a senior analyst at Forrester. "It's similar to the idea of 'hack back' — hypothetically great, but difficult to execute on."
Mellen considers the proposed expansion of regulations on critical infrastructure providers as by far the most significant component of the new strategy.
"Not only does it look to establish a set of minimum cybersecurity requirements, but it also begins to link technology providers such as infrastructure-as-a-service (IaaS) companies to these requirements, broadening its reach," she says.
Claroty's Corman says some of the proposals in the new strategy will likely trigger some hard conversations. But it is high time to have them, he notes.
"The more controversial topics, such as software liability, are admittedly going to be tougher to achieve," Corman notes. But the effort is crucial, he says.
"There is a significant gap between the current state and the desired state for critical infrastructure cyber-resilience — we need bold thinking and bold action in order to narrow that gap."