This past March, the Biden administration unveiled its vision for a safer, more secure digital landscape with its National Cybersecurity Strategy (NCS). For cybersecurity experts, it represented a national call to action and highlighted many of the challenges they have been working on for years. Still, the question remained: how would the Biden administration implement the NCS?
Click for more special coverage
We got our answer: in July, the administration released its National Cybersecurity Strategy Implementation Plan (NCSIP), and it’s encouraging. Spanning five core pillars divided into 65 concrete initiatives, the NCSIP includes actions for the government and private industry to protect critical infrastructure, combat threat actors, incentivize software transparency, and foster communication with allies. The NCSIP identifies objectives for each initiative, assigns a lead agency, and establishes an expected completion date. It’s more transparency regarding the implementation of a National Cybersecurity Strategy than we have ever seen before.
Given the current threat environment, this executive branch plan could not have arrived at a more opportune time. The same week the NCSIP was released, there were public reports that a China-based hacking group infiltrated multiple federal agencies — the latest in a string of high-profile, escalating cyberattacks from sophisticated nation-states.
The full NCSIP contains many sweeping initiatives, but one of the most potentially impactful items is something we have not seen before: initiative 1.1.2 of the plan, titled "set cybersecurity requirements across critical infrastructure sectors" has the potential to increase cybersecurity outcomes across a broad set of organizations. Essentially this initiative calls for the creation of new cybersecurity regulations for critical infrastructure.
How new regulations can enhance cybersecurity
Regulations can support national security and public safety by enhancing cooperation with the private sector, putting more responsibility on companies to implement security by design, improving the cyber workforce, and strengthening global efforts to improve cyber hygiene. These regulations will increase senior leadership awareness of cybersecurity threats and drive investments in capabilities that can reduce and mitigate those threats. In short, regulations can force companies to implement best practices already executed in many sectors.
One best practice, outlined in initiative 3.3.3 of the plan, titled coordinated vulnerability disclosure (CVD), promises to make an outsized impact on our nation's cybersecurity stance.
The importance of CVD boils down to one simple fact: the world as we currently know it runs on software. Dig into the workings of any organization — public or private — and it consists of a complex architecture of software assisting with everything from office productivity to mission delivery to financial management.
Nearly all systems and software contain vulnerabilities that malicious actors can identify and exploit. CVD aims to remedy these problems. Per the CERT Guide to Vulnerability Disclosure, it’s defined as "the process of gathering information from vulnerability finders, coordinating the sharing of that information between relevant stakeholders, and disclosing the existence of software vulnerabilities and their mitigations to various stakeholders including the public."
Global vulnerability disclosure requirements
Proper vulnerability disclosure is also a hot topic outside of the U.S., and initiatives driven by other governments can offer helpful lessons for the U.S. implementation of CVD. The EU has proposed the Cyber Resilience Act (CRA) to improve hardware and software security, but this legislation has a significant area of concern. More than 50 cybersecurity leaders, including HackerOne, sent an open letter to lawmakers in the EU, challenging Article 11 of the CRA, which requires organizations to report vulnerabilities, patched or not, to government agencies within 24 hours of exploitation.
This CRA requirement is at odds with CVD best practices. Reporting vulnerabilities to multiple EU government agencies before they’re patched leaves the reporting organizations more vulnerable to exploitation and makes the EU agencies another attractive target to malicious actors. Governments must follow CVD best practices and not rush the disclosure process, which will reach the best outcome for citizens and organizations.
The future of CVD programs in the U.S.
A mandatory CVD program — one that requires an open channel to report vulnerabilities or transparently disclose vulnerability information after remediation—would benefit everyone.
For that reason, I would encourage the Cybersecurity and Infrastructure Security Agency (CISA) to think even more expansively when it comes to CVD. At the same time, it’s important not to compel disclosure of vulnerabilities before they're patched — because if word of an unmitigated vulnerability spreads, it’s only a matter of time before a malicious actor takes advantage of it.
The Biden administration's prioritization of CVD in its NCSIP speaks volumes to its ongoing commitment to bolster cybersecurity measures and strengthen digital defenses. Identifying and mitigating vulnerabilities effectively has become one of the most important tasks facing organizations today, and any effort to incentivize this process will pay immense dividends.
Ilona Cohen, chief legal and policy officer, HackerOne
