The new National Cybersecurity Strategy: what does it mean for you?
The White House issued its new National Cybersecurity Strategy and companion Fact Sheet on Thursday, laying out its plan for securing the country from cyberattacks. Patrick C. Miller answers questions about the strategy and how it could impact you.
What is it?
This is not a law or executive order, it's a strategy – an outline – for what the current administration wants the federal government, critical infrastructure organizations and other private companies in the US to do. It essentially tells these groups the White House wants them to work together to do good things related to national cybersecurity, such as:
Defend Critical Infrastructure
Disrupt and Dismantle Threat Actors
Shape Market Forces to Drive Security and Resilience
Invest in a Resilient Future
Forge International Partnerships to Pursue Shared Goals
These all seem like the right things to do. But of course, the details always matter. And this will take time so don't expect immediate impacts.
What are the highlights?
The strategy is well written. It is both brief and extensive at the same time. Worth a read. But here are a few key takeaways.
Critical infrastructure sectors that don't have regulation already will likely get regulation (or attempts at regulation). And the ones that already have regulation will probably see their regulation shift a bit. They will probably widen their scope to include more assets, but another likely scenario is normalization of the various regulations in some way, since the existing regulations in critical infrastructure are currently all different, a patchwork at best. It's hard to measure the overall level of cybersecurity across the US critical infrastructures if you're comparing apples to bananas.
Another big takeaway is the shift in liability for software makers. The strategy will push for laws that make the software companies liable for vulnerabilities in their products. Currently, the customer ultimately pays the cost of a breach (often in more ways than one) when there is a software vulnerability that lets attackers in. Customers have been called “crash test dummies” for software companies. The strategy states that software companies should bear a significant portion of that costs as well, because it starts with them, and they should be held liable for the security of their products.
One thing I found particularly interesting in the “Securing Our Clean Energy Infrastructure” section the was direct mention of the electrical distribution space, which has been forbidden territory for federal regulation in the past. The strategy does seem to indicate that if existing cybersecurity approaches to securing electric distribution can standardize and gain adoption, the administration would look at that instead of creating federal regulation. This would likely mean relying on groups like the National Association of Regulatory Utility Commissioners (NARUC), or similar ways to hopefully align the states on a common approach. They may be able to head off federal regulation.
Probably my favorite thing in the strategy was that OT [operational technology] gets the attention it deserves. OT was mentioned more than once in different areas and was recognized as a very significant weakness if unaddressed. The strategy also includes elements such as getting rid of legacy technologies (because they can't apply things like zero trust and modern security controls). Granted, it's a primarily directive for the federal space, but what's done there will bleed over into the private sector, and usually fairly quickly.
What does it mean for me if I'm in critical infrastructure?
If you're in an unregulated critical infrastructure, you're likely going to get regulation somewhere in the not-too-distant future. There are many things that need to happen first. Some infrastructures need to have a regulatory agency defined and that agency needs to be granted legal authority to regulate. Much of this will literally take an act of Congress, and I’m not taking bets on how this will play out. I expect shouting matches, stalling, and even barfights over every detail.
But with statements like “The lack of mandatory requirements has resulted in inadequate and inconsistent outcomes" it is very clear which direction the tide is flowing. And the groundwork is already being laid. The Cyber Performance Goals (CPGs) and other methods are being used to demonstrate which infrastructures need regulation. For now, we're seeing at least a willingness to give the sectors a chance to try to design their own future. But it sounds like if they don't do something, the feds will come and measure, and then they will make regulation based on the results of the measuring. In short, failure to participate in these “voluntary” methods to measure the base levels of cybersecurity will only strengthen the argument that cybersecurity should be mandated.
What would software companies have to do?
Software (and hardware) companies are in the crosshairs. It’s well known that they sometimes sell vulnerable products with outdated versions, severe bugs that allow effortless access for attackers, weak default configurations or accounts, and even backdoors from hostile nation-states. And for now, you just you click the “Agree” button on the Terms of Service or the End User License Agreement, and it absolves the maker of all liability. The strategy wants this to go away.
Software companies would have to institute things like the software bill of materials, or SBOM. They would have to be able to prove that their software came from where they said it came from. Things like code signing, digital certificates, very strong practices around software development life cycles. Those exist, they're just not usually being followed well. It would be enforcement of existing software development standards and then provenance software validation standards that are also already out there. The strategy isn’t inventing anything, it's just enforcing good practice that's known – and then making the manufacturer liable in the event they are negligent.
What are some of the big challenges?
Honestly, I think it's going to be challenging to get any of this implemented. The biggest risk to all this really awesome, ambitious, solid cybersecurity stuff is that people will say, "Yeah, but what if the administration changes? Have we just spent a lot of time and effort on something that's just going to get unwound?" So, the wait-and-see and dig-your-heels-in and argue and stall, I think, is going to be the biggest detractor to getting any real traction here.
What will we see in 2023?
It's unlikely that there will be immediate impacts. In 2023, you'll start seeing the government move in this direction in its usual slow pace. You'll begin to see the machinery moving to align with the strategy. We'll likely see some supporting executive orders, maybe even some other regulatory bodies starting to propose that they get authority. You'll see some bills, some motions in committees in Congress.
I would expect probably the biggest impact may be assessments against things that already exist, like the Cyber Performance Goals, for example to see where everyone stands to at least know the baseline starting point. This will tell us how much work is really in front of us. There may be updates to the incident response, to align with CIRCIA. I also expect more use of the Cyber Safety Review Board (CSRB for any major incident. These measurements will inform those in power as to just how much pressure and influence they need to apply to make this strategy a reality.
* See also our briefing presentation on the National Cybersecurity Strategy.
