Pushers of insecure software in Biden's crosshairs
Just-revealed US cybersecurity strategy 'has fangs' for catching crafty criminals and crummy coders
Analysis Technology providers can expect more regulations, while cyber criminals can look for US law enforcement to step up their efforts to disrupt ransomware gangs and other illicit activities, under the Biden administration's computer security plan announced on Thursday.
The long-awaited National Cybersecurity Strategy calls for adopting minimum security standards for critical infrastructure owners and operators, and holding software companies liable for security flaws in their products. It also says the US plans to use "all instruments of national power to disrupt and dismantle threat actors" that threaten US and public safety.
The plan [PDF] is built around five "pillars," the first of which is focused on defending US critical infrastructure, which is mostly commercially owned. This includes enforcing minimum cybersecurity requirements in critical sectors and improving public-private collaboration around threats and defenses.
It also calls on the federal government to modernize its own networks and update its incident response policy to serve as examples of best-practices for private sector companies.
"By making its own networks more defensible and resilient, the Federal Government will be a model for private sector emulation," the strategy says.
It's hoped this will accelerate some of the best practices called for in Biden's earlier cybersecurity executive order from May 2021, CrowdStrike VP of privacy and cybersecurity Drew Bagley told The Register.
"When we go back to Executive Order 14028, we see the president's call for the implementation of endpoint detection and response, threat hunting, centralized log management, coordinated incident response and zero-trust architecture," he said.
Bagley said the new strategy signals the government's intent to adopt a "unified effort" to implement these security controls and architectures, rather than an agency-by-agency approach.
And this will trickle down to private-sector organizations as well, he added.
"The National Cybersecurity Strategy calls for the modernization of IT. Specifically, the strategy noted all of the inherent vulnerabilities in lots of the ubiquitous legacy software that the federal government depends upon," Bagley said.
"And so the federal government has the opportunity to modernize its IT and show what a new standard of reasonableness is and what good cybersecurity looks like."
Shifting liability to software providers
Another pillar of the plan calls for holding software providers and technology companies responsible for the products they sell and data privacy practices they employ. Specifically, it says the administration will work with Congress and the private sector to develop legislation that will hold software providers liable for security flaws in their products and services.
CISA boss Jen Easterly was just making that point this week, if it sounds familiar.
Shifting liability to the software providers and away from the end users is one example that shows "this strategy actually has substance to it," former White House cyber chief Michael Daniel told The Register.
"What other product in our society does the manufacturer of it bear no liability for how it operates or problems with it? And you don't even get to buy it — you license software," Daniel, who is now CEO of the Cyber Threat Alliance, added. "So that's important."
- US cybersecurity chief: Software makers shouldn't lawyer their way out of security responsibilities
- Biden attacks Big Tech's data addiction, wants more protection for kids
- Uncle Sam slaps $10m bounty on Hive while Russia ban-hammers FBI, CIA
- The truth about that draft law banning Uncle Sam buying insecure software
This also helps enterprises by essentially requiring software vendors to ship more secure products, according to Tom Kellermann, SVP of cyber strategy at Contrast Security.
"Whereas critical infrastructures will finally have to comply with minimum cyber security requirements, traditional enterprises will benefit most from the administration's efforts to secure the software supply chain," he told The Register.
"For perspective, 77 CVEs are discovered every day and the average application has 25 vulnerabilities," Kellermann added. "These numbers will diminish. Hopefully, Congress will get engaged and establish a tax credit for cyber security investment."
(If you're wondering where open source code fits into this planned approach to liability, the strategy has this to say: "Responsibility must be placed on the stakeholders most capable of taking action to prevent bad outcomes, not on the end-users that often bear the consequences of insecure software nor on the open-source developer of a component that is integrated into a commercial product.")
Boost to a federal data privacy law?
This liability pillar also says "securing personal data is a foundational aspect to protecting consumer privacy."
"That is rather significant because this is coming right after the State of the Union speech where the President called for federal privacy legislation," Bagley opined.
The cyber security strategy calls China the "broadest, most active, and most persistent threat to both government and private sector networks," and also signals out Russia, Iran and North Korea as states whose cyber activities pose a national security risk to America.
And during a call with reporters about the National Cybersecurity Strategy, Anne Neuberger, deputy national security advisor for cyber and emerging technologies, noted that the administration has now labeled ransomware "a threat to national security rather than just a criminal challenge."
Other pillars of the strategy call on the US to "use all instruments of national power to disrupt and dismantle threat actors" and increase cooperation with international partners on cyber threats, among other things.
Putting ransomware actors on notice
This signals the US intends to go on the offense against cyber criminals and "points towards the need to increase the cadence of disruption operations against the bad guy," Daniel said.
He expects this to include more high-profile operations, like the Hive ransomware gang takedown last month. "And some of those activities will never be seen because they'll happen quietly behind the scenes," Daniel said. "You want them to be happening frequently."
This also represents an area for more collaboration between the private and public sectors, Daniel added.
And more than having teeth, this shows the strategy "has fangs," Kellermann said.
"The NSA and FBI will now disrupt and degrade the forums and the C2 of the cybercrime cartels," he said. "This will force the adversary to play defense for once. Through SIGINT and proportionate cyber attacks, Russia and Chinese cyber spies will be confronted. A reckoning has begun." ®