In March 2023, The White House announced a new National Cybersecurity Strategy. The strategy outlines numerous broad goals for transforming government and critical industrial base through IT modernization. Usually, federal strategies such as these call on agencies or critical infrastructure industries to implement changes.
However, this strategy for securing critical infrastructure recognizes that government must use all tools of national power. For example, using federal purchasing power, the strategy begins to move more security responsibility to the providers of software and services. Additionally, it relies on regulations and requirements to “support national security and public safety” for supply chain cyber risks, and transfers some of those risks to the companies that create software.
Supply chain threats have allowed hackers to insert malicious code and caused major breaches and are some of the most difficult attacks to detect and respond to, typically because of weaknesses in software code. By requiring industry to use secure development standards and coding practices transfers some of the liability to software vendors that were previously shielded. It incorporates the principal of ‘duty of care’ in product development, i.e., a good-faith effort that a reasonably prudent person would make.
The National Cybersecurity Strategy is part of several recent software-based security directives. The Office of Management and Budget (OMB) released security guidance for software to agencies last fall, and in draft is a new Federal Acquisition Regulation requiring software suppliers to comply with secure development standards. The directive envisions working with Congress and the private sector over the long term to develop reasonable software liability legislation for all sectors of the economy. This will immediately influence federal market purchasing decisions in all IT areas.
Like the previous Zero Trust Pillars, the strategy encompasses broad goals and expands into a broader strategy for improving cybersecurity resilience.
The five pillars are:
- Defend critical infrastructure
- Disrupt and dismantle threat actors
- Shape market forces to drive security and resilience
- Invest in a resilient future
- Forge international partnerships to pursue shared goals
As with others, this White House Strategy will be followed by clarification from the OMB and guidance from the Cybersecurity Infrastructure Agency (CISA) as the nation moves from protecting government and critical infrastructure to a broader application of security to business.