White House cyber strategy: leadership is now accountable

The National Cybersecurity Strategy announced by the Biden-Harris Administration on March 2, 2023, carries significant implications for cyber executives, especially in managing development security operations and AppSec teams. Collaboration is key to the five pillars that define the strategy:

1. Defend critical infrastructure
2. Disrupt and dismantle threat actors
3. Shape market forces to drive security and resilience
4. Invest in a resilient future
5. Forge international partnerships to pursue shared goals

The most impactful pillar for Chief Information Security Officers and security operations team leaders is Pillar 3: Shape market forces to drive security and resilience. To do this, the federal government is placing responsibility on “those within our digital ecosystem that are best positioned to reduce risk and shift the consequences of poor cybersecurity away from the most vulnerable to make our digital ecosystem more trustworthy.”

From the goals outlined under Pillar 3, here are the key takeaways for security teams:

Strategic Objective 3.1 – Hold the stewards of our data accountable:

"The administration supports legislative efforts to impose robust, clear limits on the ability to collect, use, transfer, and maintain personal data and provide strong protection for sensitive data like geolocation and health information. This legislation should also set national requirements to secure personal data consistent with standards and guidelines developed by NIST."

Takeaway:

This means that the administration wants to limit the ability of public and private organizations to collect, use, transfer, and maintain personal and sensitive data by setting national requirements based on guidance from NIST.

Strategic Objective 3.2 – Drive the development of secure IoT devices:

“The administration will continue to advance the development of IoT security labeling programs. Through the expansion of IoT security labels, consumers can compare the cybersecurity protections offered by different IoT products."

Takeaway:

The administration wants vendors to label their IoT products with information supporting their security protections. What these labels will look like and what they will say are yet to be determined, but they should provide a common language to help buyers compare the security features of products connected to the internet, from online retail purchases to large-scale capital expenditures.

Security operations within the application development environment are now more urgent due to more distributed computing. This spreads the CISO’s span of responsibility across all devices and endpoints, throughout all product lifecycles, and continues to the most-remote edge of networks.

Strategic Objective 3.3 – Shift liability for insecure software products and services:

“The administration will work with Congress and the private sector to develop legislation establishing liability for software products and services. Any such legislation should prevent manufacturers and software publishers with market power from fully disclaiming liability by contract.”

“The administration will drive the development of an adaptable safe harbor framework to shield from liability companies that securely develop and maintain their software products and services. This safe harbor will draw from current best practices for secure software development, such as the NIST Secure Software Development Framework."

Takeaway:

The administration wants vendors held liable for insecure software products and services, and that software and digital product developers cannot disclose their liability by contract. At the same time, regulators want those vendors who securely develop and maintain their software products to have as much safe harbor as possible. In the event of a material breach, for instance, companies should be able to legally claim a safe haven from prosecution by showing how they adhered to proper requirements and industry-vetted standards, frameworks, documentation, and best practices.

This puts the CISO on the hot seat and gives more teeth to regulatory compliance. This element of the government’s strategy should influence CISOs to work closely with marketing and legal departments to communicate assurance in real-time, on demand, and proactively with all stakeholders well before walking into a courtroom.

Strategic Objective 3.4 – Use federal grants and other incentives to build in security:

"The Federal Government will collaborate with SLTT (state, local, tribal, and territorial) entities, the private sector, and other partners to balance cybersecurity requirements for applicants with technical assistance and other forms of support."

Takeaway:

When applying for federal grant funds, cybersecurity will be a determining factor and foundational to every investment. Federal-level assistance and assurance must be incorporated from the start of every project, from the simplest educational initiative to the most complex critical infrastructure project.

Strategic Objective 3.5 – Leverage federal procurement to improve accountability:

"When companies make contractual commitments to follow cybersecurity best practices to the federal government, they must live up to them. The Civil Cyber-Fraud Initiative (CCFI) uses DOJ authorities under the False Claims Act to pursue civil actions against government grantees and contractors who fail to meet cybersecurity obligations."

Takeaway:

If a contractor fails to meet its cybersecurity commitments and obligations to the federal government, civil actions will be pursued by the Department of Justice.

Strategic Objective 3.6 – Explore a federal cyber insurance backdrop:

"The administration will assess the need for and possible structure of a federal insurance response to catastrophic cyber events that would support the existing cyber insurance market."

Takeaway:

The administration is considering implementing a cyber event-focused insurance that would act in support of the existing cyber insurance market. Given the new generation of framework revisions and additional legal oversight by entities, including the Securities and Exchange Commission, Federal Communications Commission, and others, the cyber insurance landscape will remain challenging and complex – don’t expect a quick fix anytime soon.

Mind your code

The National Cybersecurity Strategy represents one of the most significant market-driving forces in the history of IT. It ushers in a new era of standards, requirements, and best practices that will define how our economy works and how buyers interact with sellers for decades to come.

The guardrails in Pillar 3 are timely and necessary, and the national strategy is leaning hard on leadership accountability. Though more regulations and case law are coming that will set a future precedent, it’s becoming clear that boards of directors and C-suites will be personally exposed and open to blame for application security faults in the years ahead.

The ultimate weight of these responsibilities falls on the CISO’s shoulders. Point-in-time audits and random scanning for vulnerabilities will be replaced with a greater sense of continuous integration and deployment of security in and out of every bit and byte of corporate data. This starts with the next line of code and continues through the lifecycle for every product and across every customer relationship and supply chain partnership.