Of course it doesn’t go far enough, but the Biden-Harris Administration’s 2023 National Cybersecurity Strategy is a good first step. Rather than carrying forth the strategies of previous administrations, Biden-Harris considered the problem of defending the US in cyberspace holistically. For example, why put so much effort in defending bad software when you can (and should) fix it at the vendor level?
One of the more radical proposals in the new strategy is just that: shift the liability for data breaches and ransomware toward the software that made these attacks possible. Of course, the software industry will say that you can’t predict unknown or zero days. (Actually, you can, using security solutions like Mayhem, which find both known vulnerabilities and the unknown vulnerabilities often responsible for zero days.)
What is the Biden-Harris 2023 National Cybersecurity Strategy?
Released on March 3, 2023, the Biden-Harris 2023 National Cybersecurity Strategy is an attempt to update national strategy around cyberspace. This includes fundamental shifts in how the private sector, peer-competitor states, and nonstate actors navigate around and with each other.
Here are a couple of key takeaways. The new strategy:
Shifts Cybersecurity Responsibility Onto Software Vendors
Fundamentally, the strategy includes the much-needed beginnings of an ambitious shift in US cybersecurity policy. The strategy’s greatest shift is toward liability for software vendors. That means that liability for future data breaches and ransomware can be tied back to the software vendors themselves, incentivizing them to secure their software on release and to provide regular updates for that software post-release.
Currently, only the organizations using the software are held accountable for any breaches. This is not to say that organizations are off the hook with the new strategy. Rather, it seeks to share the liability.
By sharing the liability with the original software vendors, this strategy will enforce the use of best practices to be followed in the development lifecycle of that software. This includes the use of new technologies such as Mayhem which finds both known and unknown vulnerabilities without the need for source code and provides prioritized and actionable results.
Development Speed or Code Security. Why Not Both?
Mayhem is an award-winning AI that autonomously finds new exploitable bugs and improves your test suites.
Reinforces the Need for More Public-Private Partnerships
The strategy also reinforces the need for more public-private partnerships and to remove the existing silos of information where it makes sense.
As an example, eighteen months ago, Jen Easterly, Director of the Cybersecurity and Infrastructure Security Agency or CISA, announced the Joint Cyber Defense Collaborative or JCDC at Black Hat 2021. Launch partners included Amazon Web Services, AT&T, CrowdStrike, FireEye Mandiant, Google Cloud, Lumen, Microsoft, Palo Alto Networks, and Verizon. Perhaps this is a model for the rest of the industry and government to follow.
The Atlantic Council, a Washington think tank, has provided a markup with expert commentary by Jeff Moss, Katie Nickels, Marc Rogers, Chris Wysopal (Weld Pond), and Danielle Jablanski. The experts conclude that “the strategy offers the much-needed beginnings of an ambitious shift in US cybersecurity policy, but it often falls short on implementation details and addressing past failures.”
Indeed, the details remain to be worked out. However, at least having a strategy that advances the discussion and highlights the concerns is a major step forward.