Tech Industry ‘Devolving’ On Security; National Strategy Aims To Make Secure Products A ‘Competitive Advantage’: US Official
Now that the Biden administration has released its ambitious National Cybersecurity Strategy, increased regulation meant to reduce vulnerabilities in tech products is looking likely.
Acting U.S. National Cyber Director Kemba Walden
The tech industry is going in the wrong direction when it comes to developing products with cybersecurity in mind, which has prompted the new White House-led effort that could lead to increased regulation of the industry around reduction of vulnerabilities, Acting National Cyber Director Kemba Walden said Thursday.
Walden made the comments during a live-streamed event after the Biden administration released its much-awaited National Cybersecurity Strategy, detailing a number of cybersecurity priorities for the White House. The strategy places a major emphasis on the need for tech vendors to be held more accountable for the security of their products in the future, with one of its key pillars being to “shape market forces to drive security and resilience.”
[Related: CISA Leader Tells MSPs Cyber Insurance Market ‘Fueled Rise In Ransomware’]
The White House said Thursday that a top goal of the strategy includes “shifting the burden for cybersecurity away from individuals, small businesses and local governments and onto the organizations that are most capable and best-positioned to reduce risks for all of us.”
During her remarks Thursday at an event held by the Center for Strategic and International Studies, a Washington think tank, Walden said that vendors are currently rewarded for being “first to market, not secure to market.”
“What we’re trying to achieve is a competitive advantage for those that build in security by design,” she said.
“Right now, we are devolving down to the least common denominator,” Walden said. “Let’s bring that up. Let’s recharge American innovation. Let’s find cyber priorities in our R&D.”
‘Rife With Vulnerabilities’
For months, federal cybersecurity officials, including the leaders of the U.S. Cybersecurity and Infrastructure Security Agency (CISA), have been vocal on the topic. Last fall, for instance, CISA Director Jen Easterly said during the Mandiant mWISE conference that “we have accepted this strange cultural norm where software and technology comes off the line just rife with vulnerabilities.”
Looking ahead, she said at the time, “I think we need to expect more and really demand more from our technology providers.”
Earlier this week, Easterly echoed the sentiments in remarks at Carnegie Mellon University, while specifying that a foremost example of the issue is Microsoft’s monthly release of patches for scores of vulnerabilities, known as “Patch Tuesday.”
“While it will not be possible to prevent all software vulnerabilities, the fact that we’ve accepted a monthly ‘Patch Tuesday’ as normal is further evidence of our willingness to operate dangerously,” she said.
In the strategy released Thursday, the White House said that “we must begin to shift liability onto those entities that fail to take reasonable precautions to secure their software.”
“Companies that make software must have the freedom to innovate, but they must also be held liable when they fail to live up to the duty of care they owe consumers, businesses or critical infrastructure providers,” the White House said in the strategy.
More Regulation Ahead?
A White House strategy in itself doesn’t have the power to make vendors do anything differently, but it does serve as a signal of where things may be headed on the legislative and regulatory front—which in itself can sometimes cause changes as businesses work to get out ahead of actions by the government.
The strategy is a “watershed moment” in cybersecurity, said Brian Fox, co-founder and CTO of software supply chain management firm Sonatype and board member at the Open Source Security Foundation.
“People can no longer be in denial—they’re going to have to get their act together,” Fox told CRN. “Even the drop of the strategy, in advance of actual regulation, can start to move the industry if people believe that this is an inevitability.”
While it’s likely that some vendors will oppose a regulatory effort on this issue, many thought leaders around the industry believe “we’re kind of past the point of no return on this,” he said. “We, as an industry, didn’t solve this problem fast enough. People are demanding action and users are demanding action. Governments are demanding action on behalf of them. So regulation is coming. Stopping it completely seems unlikely.”
Solution Provider Perspective
There are usually upsides and downsides to industry regulation, and what the White House seems to be looking for with this initiative is likely to be no exception, said Dawn Sizer, CEO of 3rd Element Consulting, a Mechanicsburg, Pa.-based MSP.
But on the goal of incentivizing the industry to develop products with fewer security issues, “I think [the regulation] would make it better,” Sizer told CRN. “I think it would raise the level of security compliance, and everybody that wants to stay in the game would be complying at the same point.
“Would it solve all the problems that we have? No. But I think it would solve some of them,” she said. “And I’d be more comfortable with that than no regulation at all.”
In her remarks Thursday, Walden acknowledged that the White House is looking for regulation by releasing this strategy but it envisions “light regulation, that is targeted.”
Ultimately, the effort is critical because currently, “the costs of liability are borne by the end user. That’s just not effective,” she said. “We need to figure out a way to shift that liability upstream a bit.”