In the first week of March, the Whitehouse released the new National Cybersecurity Strategy that outlines areas of focus and investment to “secure the digital ecosystem for all Americans.” Like most strategies, it is high level, broad in scope and forward thinking. Most of the strategy covers expected topics, with objectives like: protecting critical infrastructure, investing in research and development, expanding the qualified cyber workforce and increasing public-private collaboration. However, I found a few of the objectives thought provoking and ambitious because they have the potential to mature or disrupt the industry if enacted into standards or legislation.
Ransomware
The United States has labeled ransomware as a strategic objective that needs attention to prevent disruption of critical infrastructure and other “essential services,” like hospitals. Payments from ransomware support the activities of criminal groups and ransomeware attacks result in not only financial loss, but can result in loss of life through the inability to provide accurate or timely care. Dish Networks is the latest victim of ransomware, resulting in a 20% decrease in stock price, not to mention the amount it costs Dish to recover from the attack, including the loss of revenue from inability to process payments or provide adequate support.
Ransomware is a difficult problem to solve because the government can’t magically secure all of the vulnerable networks and systems in the US. Instead, the US Government plans to target the financial networks that process ransomware payments, disrupt infrastructure that supports ransomware and place diplomatic pressure on countries that continue to provide safe haven to ransomware operations. It will be interesting to see what effect this will have on ransomware attacks, but optimistically, I hope this will have the same result as recent high profile botnet disruptions.
As of yesterday, the administration can claim its first success in taking down part of a ransomware gang in Germany and Ukraine responsible DoppelPaymer and tied to EvilCorp.
Privacy
The Whitehouse considers privacy a strategic objective for the United States. The European Union set the global standard for privacy with GDPR and since then the United States has lagged behind other countries for national privacy regulations. This is evident because several states like California and Colorado have already passed privacy laws that establish fundamental rights to privacy for their residents and there are another three dozen bills in progress across several states in the US. A patchwork of state privacy laws will make it difficult for companies to navigate and satisfy each individual privacy law. Citizens in the United States suffer from poor privacy practices from companies that seek to monetize or use the data for strategic purposes.
There are dozens of privacy bills floating around Congress to address individual privacy, financial privacy, health privacy, and education privacy. These laws would give US Citizens fundamental rights to their privacy, the ability to control how their data is used and shift the collection of data from opting out to requiring consumers opt in to collection. A national privacy law would help consolidate the patchwork of state legislation and make it easier for businesses to navigate the new requirements. It would also place the United States on equal footing with other international standards like GDPR, which has had a significant impact on advertising and marketing business in the EU.
Liability for Third Party Software Security
One of the most interesting strategic objectives in the National Cybersecurity Strategy is the intent to “shift liability for insecure software products and services” to the companies that produce them. This has the potential to mature the technology sector by establishing a standard of security quality through legislation or penalties. The administration intends to do this by establishing a framework that will shield companies from liability if they follow the secure development practices in the framework.
In reality, software development is not that simple. Following a secure software development framework will not address the complex software security supply chain issues facing the technology sector. Use of open source software libraries is a common development practice that accelerates the development of software so companies don’t have to re-develop functions for themselves. This accelerates the software development life cycle and also self regulates by allowing the industry to settle on and standardize certain functions or technologies. While I applaud the sentiment to hold companies liable, it is unclear where the liability stops and this may actually hinder innovation in the technology sector. If a business includes an open source software package in their software are they now liable for the security of a software package they don’t control? Or, does the liability pass on to the random person who built the software package from their basement? Will companies now shift to stop using software they don’t control and develop these capabilities in house, which can waste development resources from producing products and services that generate revenue? What about embedded systems that have limited network connectivity or limited storage space to support continuous updates?
When looking at the history of massive security breaches like Target, SolarWinds, Sony or Equifax, there is certainly a need to hold someone accountable, particularly when the incident impacts consumers, shareholders or critical infrastructure. However, there are too many questions and complexities within existing software supply chains to simply regulate this problem away. I cautiously look forward to seeing how the administration navigates these issues without impeding innovation or levying burdensome penalties.
Federal Cybersecurity Insurance
One of the more interesting strategic objectives is to explore the creation of a Federal Cyber Insurance backstop. The concept is similar to FDIC for banks or disaster relief funds for natural disasters. A government cybersecurity insurance fund could be used to support areas of economic strategic investment that are not mature enough for full blown commercial cyber insurance, but need some sort of financial safeguard. The backstop can also be used for national level services that would have a catastrophic impact to the country if they were impacted due to a cyber event. A federal cyber insurance fund could be meted out like a disaster relief fund to help these critical services restore functionality or shore up finances in a time of crisis. Overall, I think this is a good thing and could provide some stability to the technology sector that is at times beholden to a cybersecurity insurance industry that has high rates and uncertain payouts.
Global Supply Chain
The COVID pandemic broke the equilibrium of a fragile global supply chain. Small disruptions in factory output or the availability of supplies brought several previously stable industries to a halt. As a result, the United States is rightfully considering the security of this global supply chain and what components are critical to maintaining military and economic superiority.
Computer chips are at the forefront of maintaining this military and economic superiority. In 2022 the Whitehouse signed an executive order, called the CHIPS and Science Act, to fund initiatives to make critical supply chain components, like semi-conductors, in the United States. Shifting or changing the global supply chain will take time, particularly with semi-conductors and so it makes sense to start immediately. Almost all of the manufacturing for semi-conductors occurs in Asia (South Korea, Taiwan and China) and it makes sense for the United States to begin to diversify this critical resource from a geographic region that is seeing increasing geopolitical instability. For example, if China invaded Taiwan it would massively disrupt the global supply chain for the rest of the world (including the United States). However, most semi-conductor industries have been built with, or heavily subsidized by, local governments and so the United States will have to match or exceed these subsidies if they truly want to be competitive in the global market, while securing a critical component of the supply chain.
Wrapping Up
Overall, the National Cybersecurity Strategy is a comprehensive and forward thinking strategy that has identified areas of national strategic cybersecurity importance in need of investment. Not all of the strategic objectives are clear on how they will achieve the goal without causing unintended negative consequences, but the intent to improve the resilience and preparedness of the United States is evident.
370 Security Blog 