Back when cybersecurity was in its infancy — about two decades ago — simply discovering that an incident had occurred was considered a major victory inside an organization. As cybersecurity matured, forensic advances made it possible for organizations to identify the very source of the incident — even if the investigation was drawn out and exact details were often fuzzy.
Today, we have reached a stage where cyber attacks and other crimes are increasingly discovered, monitored and resolved by the business community. Given how rapidly cybersecurity technology develops, President Biden believes the time is right to leverage organizational intel to help protect and defend our nation’s critical infrastructure going forward.
In March, the Biden Administration unveiled its National Cybersecurity Strategy, a comprehensive proposal that leans heavily on the private sector.1 The White House press release makes plain the government’s objective: “We must rebalance the responsibility to defend cyberspace by shifting the burden for cybersecurity away from individuals, small businesses and local governments, and onto the organizations that are most capable and best positioned to reduce risks for all of us.”2
The proposal asks a lot of the cybersecurity industry, which will now be required to implement security standards into the applications made by tech firms. For software manufacturers in particular, this shift is a sea change in risk management. For the first time, developers will be liable if a software vulnerability or a bad line of code results in a cybersecurity incident — not unlike the way automakers and other manufacturers are responsible for design flaws when they lead to consumer harm.
Getting a head start on implementing basic requirements of the National Cybersecurity Strategy (the “Strategy”) can limit cybersecurity risk, achieve compliance and save tech firms headaches and unnecessary costs down the road.
The Strategy consists of five pillars (see “The NCS Pillars”), the third of which, “Shape market forces to drive security and resilience,” is directed at limiting the vulnerabilities in third-party software applications.3 These apps are typically made and supported by software firms on behalf of hardware manufacturers. To get an idea of the scope of this risk, consider that Apple’s online marketplace offers approximately 1.8 million apps for download, representing nearly 57% of total market share.4,5
The NCS Pillars6
— Defend critical infrastructure
— Disrupt and dismantle threats by malicious cyber actors
— Shape market forces to drive security and resilience
— Invest in a resilient future
— Forge international partnerships to pursue shared goals
Another common vulnerability involves the default passwords manufacturers supply with new consumer hardware. Often, simple alphanumeric strings designed to help ease initial consumer setup can create enormous, enterprise-wide cybersecurity vulnerabilities when consumers are not forced to change them immediately once the device is operational. Threat actors can easily identify basic password patterns and infiltrate systems and networks that are still using default passwords.
The White House wants software makers to seal up these kinds of vulnerabilities. The Strategy states that manufacturers — rather than end users — are best positioned to reduce risk, promote privacy, keep personal data secure and, perhaps most importantly, “incentivize the adoption of secure software development practices.”7
To get started on compliance, software manufacturers and technology firms should review their internal processes and procedures to determine whether they are adequately addressing security vulnerabilities per the third pillar. If not, organizations should consider implementing industry-accepted best practices such as those found in the Secure Software Development Framework developed by the National Institute of Standards and Technology (“NIST”).
Designed specifically for the software development life cycle, this “core set of high-level secure software development practices” is built around 1) preparing the organizations to ensure that “their people, processes, and technology are prepared to perform secure software development at the organization level,” 2) protecting the software and “all components of their software from tampering and unauthorized access,” 3) producing well-secured software “with minimal security vulnerabilities in its releases” and 4) responding to weaknesses “in their software releases.”8
Software manufacturers should also review the basic cybersecurity hygiene of their vendors and partners to determine whether their supply chain or third-party relationships include hidden cybersecurity vulnerabilities. Many organizations outsource specific aspects of software development to small, specialist developers who may not have the resources to implement comprehensive security protocols that meet the threshold for the new White House rules. So, while the work can be outsourced, the compliance risks cannot, which means organizations need to conduct supply chain and vendor cybersecurity due diligence to avoid liability.
Tomorrow’s cybersecurity will be a leap ahead of today’s. Yet even as technology continues to mature and the business community carries development forward, threat actors will always be looking to exploit vulnerabilities. Tech firms can do their part now knowing that corporate America, the government and the cybersecurity industry are behind them.