The Biden administration this month released the country’s first National Cybersecurity Strategy (NCS) – a bold attempt to move beyond incremental change and accelerate the maturation of IT security. Major policy proposals tend to generate resistance, often reflexively, especially when regulatory change creates new costs for companies. Yet the initial response to the NCS’s unveiling was uncharacteristically reserved. The plan to shift liability for cybersecurity to software makers didn’t generate enough blowback to fly a kite.
The absence of overt resistance likely reflects broad recognition of a simple truth: we need a bold strategy to neutralize risks threatening the country’s cybersecurity and the underlying infrastructure. The NCS proposes stabilizing cybersecurity by strengthening five pillars of support: defending critical infrastructure; disrupting and dismantling threat actors; shaping market forces to drive security and resilience; investing in a resilient future; and forging international partnerships to pursue shared goals.
It's a solid strategy, so where do we go from here? What will it take to realize a rational cyber policy and program in this country? Consistency of execution will be important. Adhering to critical operational touchstones will help keep the rollout on track and speed implementation. By using the following three tactics we can help the process move along in a positive direction:
- Leverage a data-driven approach.
Quantifying cybersecurity challenges and proposed solutions will maximize value derived from the NCS. It’s important to measure the right metrics, especially leading indicators of cybersecurity. Until now, most cybersecurity metrics have focused on trailing indicators, such as data collected in the aftermath of ransomware attacks.
We need to look at results of software-security testing before deploying or shipping software. Such information will offer a leading indicator of progress. Such an approach will yield valuable insights into whether vendors are delivering software as a service (SaaS), for example, capable of withstanding cybersecurity attacks.
- Insist on greater transparency.
We can no longer tolerate developing products for government using opaque, open-source software. The industry needs to make vendors liable for vulnerabilities in products using open-source code. Civilian agencies and the software they use to pursue missions have, until now, received less scrutiny than defense organizations. Looking ahead, they will have to abide by the same or similarly rigorous standards applied by the Defense Department, whose higher assurance levels for cybersecurity informed development of provisions in the NCS.
Consider software bills of materials (SBOMs), essentially lists of ingredients in applications. Without the ability to know what’s in open-source code, we cannot make those applications secure. DoD will lead the way in adopting SBOMs, and civilian agencies will follow. Provisions in the NCS that affect vendors or suppliers will hit DoD first. If defense contractors aren't delivering SBOMs with their software, how many other organizations will?
- Practice strong cost controls.
An obvious impediment to implementation is the cost of compliance. Some software companies will resist taking action to bolster cybersecurity to avoid financial impact. That’s a very big challenge, the scope of which we don’t know for sure. Some companies, such as Google, have already stated their intention to build-in security by design. They’re signaling that they intend to comply with initiatives like the secure software development framework (SSDF) – and to provide evidence of their compliance.
Elsewhere, companies that sell and maintain legacy products with long tails are often less eager to abide by the NCS and other initiatives for modernizing IT and promoting cybersecurity. Developed in an era when security was less of a concern than today, those products are loaded with security debt. There’s concern that companies invested in legacy technology will lobby for exemption from compliance until government buyers move off their product. That's the elephant in the room.
We have to start this process by choosing to build products with security in mind. It sounds simple enough, yet at present there’s no incentive for software developers to consistently bake security into products. The National Cybersecurity Strategy will try to change a broken system by changing market incentives. It’s a big idea, one that’s commensurate with the cyber challenge and its potential consequences. If we don’t change market incentives soon, the industry will stay stuck in an untenable and unacceptable status quo.
Chris Wysopal, founder and CTO, Veracode
