As cyber threats targeting national networks continue to grow in prominence, the Biden administration’s National Cyber Strategy plans to empower tech companies with the right cyber expertise to take action and keep organisations and individual users protected, reported CNBC.
A government spokesperson stating that placing responsibility for cybersecurity on people and companies that don’t have the right resources to protect themselves is “unfair” and “ineffective”.
Proposed legislation would call for liability for software vendors that fail to properly secure their products and services, with “an adaptable safe harbour framework” planned for tech companies to adhere to.
The bill also says it will expand minimum security requirements in certain industries to improve security of critical infrastructure, and will treat ransomware as a threat to national security, as opposed to a merely criminal act.
A national insurance backstop has been cited as a possible avenue for further security development by the Biden Administration, in the event that a major attack affects the country, to help fund the US cyber insurance market.
Additionally, the strategy outlines plans to prioritise long-term investment in cybersecurity research, development and talent.
While not expected to pass through Congress within the next year, according to a senior government official who spoke to CNBC, the bill is set to be part of long-term plans.
“The president’s strategy fundamentally reimagines America’s cyber social contract,” said Kemba Walden, acting national cyber director for the US Government, during a press briefing.
“It will rebalance the responsibility for managing cyber risk onto those who are most able to bear it.
“The biggest, most capable and best-positioned actors in our digital ecosystem can and should shoulder a greater share of the burden for managing cyber risk and keeping us all safe.”
In May 2021, following an attack on Colonial Pipeline that disrupted the delivery of fuel throughout the US, President Joe Biden signed an executive order to bolster the country’s defences.
The need for vulnerability management
Brian Fox, CTO of software supply chain management company Sonatype, was involved in the development of the US National Cyber Strategy, and believes that while it’s a positive step forward, a wider conversation is needed to ensure that organisations stay protected.
Fox explained: “The strategy aptly starts by taking away vendors’ ability to disclaim any and all liability, while recognising that even a perfect security process can’t guarantee perfect outcomes. Establishing the concept of safe harbours allows the industry to mature incrementally, levelling up security best practices in order to retain a liability shield, versus calling for sweeping reform and unrealistic outcomes as previous regulatory attempts have.
“The strategy also moves to hold accountable companies that collect massive amounts of information and then leave that information open to attackers with little recourse. Without regulation changes, the ramifications of these types of breaches can be huge for consumers, while the resulting lawsuits amount to a rounding error and a cost of doing business for these companies.
“Changing the dynamics of accountability is the only way to drive the proper outcomes. But it’s just the beginning of a much larger conversation.
“Shifting accountability will not prevent bad actors from launching malicious attacks. As organisations move to protect themselves, we must not lose sight of the overall goal–resilience through prevention. Successful security strategies will still depend on preemptive measures and vulnerability management programs.”
Industry-first software supply chain security framework launched — Security leaders have launched the Open Software Supply Chain Attack Reference (OSC&R), to help organisations gain better understanding of evolving supply chain threats and how to mitigate them.
The importance of plugging insurance cyber response gaps — With the Bank of England recently warning of cyber response gaps in the insurance sector, we explore the risks that need to be considered.