The White House has published its new National Cybersecurity Strategy setting out expectations for organizations, specifically those within critical sectors, to step up their cyber security efforts and change the way in which they operate or risk the consequences.
NCC Group’s Senior Vice President, John Rostern, shares his thoughts on how the US aims to secure its most critical assets and enhance its cyber posture.
Driving resilience through regulation
The new National Cybersecurity Strategy marks a step change in the Federal Government’s approach to cyber security – moving from a reliance based on voluntary measures and public procurement levers to a recognition that regulation is needed to drive up standards. It argues that “the responsibility to defend cyberspace” should be rebalanced “by shifting the burden for cyber security away from individuals, small businesses, and local governments, and onto the organizations that are most capable and best-positioned to reduce risks for all of us”.
This shift reflects the recent evolution of cyber security regulatory frameworks across the globe. Like the US, many governments believe that market-led cyber resilience has resulted in inadequate and inconsistent outcomes, with both the European Union and the UK strengthening NIS (Network and Information Systems) regulations (Spotlight on NIS and NIS2), and the Australian and Canadian governments following suit with their respective cyber security laws for critical infrastructure.
Establishing a minimum baseline of things that businesses ‘must’ and ‘should do’ based on factors such as industry sector and type of data at risk, will be valuable, and will put organizations in a better position to deal with unwanted situations. We have seen this in the UK, for example, where government research has found that the NIS regulations have strengthened regulated entities’ cyber security policies and processes, increased board support for cyber security and improved organizations’ understanding of their aggregate risks.
Another key aspect of the strategy is the provision of liability for software vendors as described in STRATEGIC OBJECTIVE 3.3: SHIFT LIABILITY FOR INSECURE SOFTWARE PRODUCTS AND SERVICES. This section states that ‘The Administration will work with Congress and the private sector to develop legislation establishing liability for software products and services. Any such legislation should prevent manufacturers and software publishers with market power from fully disclaiming liability by contract and establish higher standards of care for software in specific high-risk scenarios.’ This is consistent with the overall theme of regulation in place of market forces or other voluntary measures to encourage software security.
However, while new regulations will support the US in setting an entry point for cyber security, it’s important to recognize that compliance does not equal security, it simply demonstrates a minimum standard. Security must be about more than being legally compliant.
An effective approach to cyber security must be based on risk assessment, treatment and acceptance. The Federal Government has validated this approach for over a decade in the FedRAMP program which is risk based. Will the proposed regulations ultimately lead to some form of certification? This approach would create several opportunities but managing such a process can also easily become nothing more than a paper based exercise with little or no impact on the actual state of cyber security – particularly where there is a reliance on point in time assessments.
This is the classic ‘carrot vs. stick’ analogy. ‘Carrots’ include use of government procurement levers (as FedRAMP does), or linking compliance with cyber insurance availability and cost. Alternatively. if the proposed regulations are based on the ‘stick’ in terms of fines and other sanctions, then considerable consideration must be given to how this will be effectively implemented. For example, will the penalties be civil in nature, or are there provisions for criminal penalties such as in cases where a cyber security failure leads to a loss of life?
What we don’t want to see is an increase in the number of organizations using these new minimum standards as a ‘get out of jail free card’ for their next security breach. Agencies must invest in supporting and incentivizing regulated entities to go beyond the minimum baseline, while also considering how they will measure progress to ensure the new regulatory measures are delivering desired security outcomes.
What does it mean for businesses?
While many of the Federal Government’s plans will depend on securing congressional support, businesses should prepare for:
- Additional regulatory cyber security requirements placed on critical sectors, in alignment with CISA’s Cybersecurity Performance Goals and NIST’s Framework for Improving Critical Infrastructure Cybersecurity – bringing the US into step with global counterparts such as the EU, Australia and the UK
- Greater emphasis on driving better cyber security practices in the cloud computing industry and for other essential third-party services supporting critical infrastructure
- Continued use of government procurement levers to drive up the cyber resilience of government suppliers
- Regulatory liability for software vendors, including the entire software supply chain
- Federal Government-driven legislative efforts to put the liability for software security on manufacturers and software publishers
- Federal Government-driven legislative efforts to promote privacy and the security of personal data
What’s next?
Under the oversight of the National Security Council and in coordination with Office of Management and Budget (OMB), the Office of National Cyber Director (ONCD) will coordinate implementation of the Strategy, with an implementation plan due to be published. Until we see this plan, the timelines for these reforms remain unclear – particularly given that many of them will rely on congressional support for new laws (something that will not be forthcoming in the Republican-controlled House of Representatives).
Biden’s Strategy does also commit to encouraging State-level governments and regulators, which have the authority to set cyber security requirements, to strengthen rules in critical sectors. How this will work in practice, alongside the interaction between State and Federal laws, remains to be seen. Will Federal laws override State laws, potentially undermining the growing number of State privacy laws in recent years? And, if so, will that increase red tape and confusion for affected organizations?
Call us before you need us.
Our experts are here to help you.