Many industry professionals viewed the Biden administration’s cybersecurity strategy to secure the nation’s technology as a positive step, with some calling the policy “revolutionary” and a “game changer” as it shifts the security burden from end-users to manufacturers. However, they also warned of the investment that will be needed to carry it out.
As SC Media previously reported before and after the strategy’s release on March 2, the policy seeks to create “fundamental shifts” by moving responsibility for insecure technology from users to the manufacturers, and to compel more long-term investment in how technology is designed, built and secured.
The White House anticipates new authorities to mandate cybersecurity practices across various industries, and sees voluntary performance goals developed by the U.S. Cybersecurity and Infrastructure Agency as a potential roadmap.
The release of the strategy is an inflection point for the country when it comes to cybersecurity, said Jordan Burris, head of public sector strategy at identity verification firm Socure.
“The strategy’s focus on bolstering the regulatory landscape, increasing public-private partnerships, and building a future with cyber resilience in mind is a game changer,” Burris said.
Bryan Cunningham, a former White House lawyer and advisor at Theon Technology, called the strategy “revolutionary” in several respects, namely the end of the voluntary compliance and self regulation era.
“This strategy is by far the most emphatic about increasing legal and financial liability on big private entities in the cybersecurity ecosystem,” said Cunningham, who is also executive director of the Cybersecurity Policy and Research Institute at the University of California, Irvine. “Even if new federal law takes time to embrace this historic shift, the U.S. government, through regulation and its massive buying power, will rapidly make cybersecurity the legal and financial responsibilities of, as the strategy says, those most able to bear it and most directly able to enhance our collective security.”
As one of the world’s largest tech providers, Google’s Phil Venables said the tech behemoth takes its responsibility very seriously, and agreed that increased collaboration between companies like Google and the public sector is critical.
“We share the administration’s commitment to combat malicious cyber activity and mitigate its effect on the economic and national security of the United States, and look forward to continued partnership on this and other important cybersecurity issues now and in the future,” continued Venables, who is chief information security officer at Google Cloud.
While industry professionals and policy experts agreed that the strategy is ambitious and would improve the nation’s cybersecurity posture, there were still concerns about how to implement the strategy and how regulations would affect private industry.
For Panaseer’s Charlotte Jupp, the strategy needs to be coupled with guidance to help establish implementation plans for having industry standards to benchmark and measure.
“How can you be confident as to what ‘good’ actually looks like, how you compare to others in your industry and whether progress still needs to be made to keep up with internal and external policies?” asked Jupp, who is head of security performance management at Panaseer.
Brandon Pugh with the conservative R Street Institute cautioned Congress and the Biden administration to tread carefully as not to undermine free market principles as they contemplate legislation on manufacturers and software publishers. Pugh, policy director and resident senior fellow on cybersecurity and emerging threats, said he was hopeful that there will be greater collaboration with stakeholders as the strategy is implemented.
The Biden administration’s cybersecurity strategy is a positive shift in motivation as it aims to build resilient software, said Melissa Bischoping, director of endpoint security research at Tanium, “the actual work to implement these strategies will be expensive in time, human resources, and investment in compatibility and interoperability going forward.”