White House National Cybersecurity Strategy – Key Takeaways

Originally published by DigiCert.

Written by Mike Nelson.

Earlier this month, the White House released their National Cybersecurity Strategy, demonstrating a heightened focus in the highest levels of government on securing our digital interactions, which, as we’ve seen with recent attacks on critical infrastructure, have tangible impacts on the real world.

I'm excited to see these issues considered and have long championed the need for establishing digital trust in many of the areas that the White House Strategy addresses. Here are a few of my takeaways from the strategy and what product developers should keep in mind moving forward.

Cybersecurity is a shared responsibility, but manufacturers hold the lion’s share

One of the key points in the National Cybersecurity Strategy is that the responsibility of cybersecurity rests primarily with developers and manufacturers.

The White House fact sheet on the strategy announcement notes, “We must rebalance the responsibility to defend cyberspace by shifting the burden for cybersecurity away from individuals, small businesses, and local governments, and onto the organizations that are most capable and best-positioned to reduce risks for all of us.”

I’ve shared before that cyber is a shared responsibility and that consumers should have the right to assume the security of products they purchase. However, individuals still have some responsibility and will need to use best practices like MFA, secure WIFI and rotating passwords.

But developers and manufacturers should hold the lion’s share of responsibility for cybersecurity, as they are “most capable and best positioned” to implement digital trust, which has become more apparent as the industry has matured.

Would you buy a car that wasn’t crash tested? What about a device?

This discussion of responsibility for security reminds me of growing up in an era when seatbelts were optional, but they are now required by law for the safety of passengers. Now that all our critical infrastructure has software on it, it’s no longer an option for security to be an afterthought in the manufacturing process. Manufacturers must ensure that security is baked into the entire development of products and software, or else they could be held responsible for vulnerabilities.

Putting it another way, would you risk buying a car from a manufacturer that didn’t test the product safety and share that information with you? Or what about a new drug that wasn’t designed and tested with safety in mind? If you are hesitant to buy other products that aren’t secure by design, then why not apply that to IoT devices that may be in your home, car, office or on your person?

Just as carmakers and drugmakers are held liable for their products, I believe developers and manufacturers involved in the design and production of smart critical infrastructure should be held liable for the security of the devices, code and any data those devices collect and store.

What that liability looks like in the United States will still be determined, but it’s likely to include financial consequences. Additionally, it’s clear that manufacturers need to be prepared and ahead of the game. There is an urgency for companies to do more with digital trust for their software and to take more responsibility for cybersecurity.

Increasing device security is a trend in regulatory bodies

We’re seeing similar regulations putting responsibility on manufacturers furthered in other markets as well. For instance, the EU Cyber Resilience Act puts more liability on IoT device manufacturers, leading to massive fines and penalties for noncompliance. This act will give consumers more purchasing power and trust in their devices and more transparency about the security of what they’re purchasing.

The White House also mentions IoT security labels: “Through the expansion of IoT security labels, consumers will be able to compare the cybersecurity protections offered by different IoT products, thus creating a market incentive for greater security across the entire IoT ecosystem.” There have been efforts underway for IoT security labels in multiple countries including Singapore, Finland and the EU. Labelling that discloses security details about devices would further empower consumers the same way that nutrition labels on food products empower them to make well-informed purchases.

This shared move across governments to pass regulations for software and IoT development makes sense and will hopefully create a trusted global supply chain where, as the National Cybersecurity Strategy states, “like-minded nations counter threats to our digital ecosystem through joint preparedness, response, and cost imposition.”

A cyber-resilient future requires more digital trust

The White House Strategy comes at a time where the case for digital trust, or providing confidence that our digital interactions are secure, has never been clearer. The internet is evolving, and so is our threat landscape. As stated in the strategy, “As we build a new generation of digital infrastructure, from next-generation telecommunications and IoT to distributed energy resources, and prepare for revolutionary changes in our technology landscape brought by artificial intelligence and quantum computing, the need to address this investment gap has grown more urgent.”

Unfortunately, security has all too often been an afterthought for IoT devices. There has been high demand for manufacturers to bring their products to market, and it’s led to devices and software that is infamously full of vulnerabilities. On top of that, threats have been evolving, and we will see even more tools for attackers in the future using AI, post-quantum computing and other emerging technologies.

Thus, security needs to be baked into the way connected products are designed, built, tested, deployed and operated. This regulation that is shifting liability is a great step forward to holding developers and manufacturers accountable for failing to bake security into the design of their products.

I applaud the government for taking a more proactive approach in what’s needed to build a more cyber-resilient future. I also warn developers that they need to start adapting their practices now so that they are prepared for the regulations coming.