In early March, the White House issued its latest National Cybersecurity Strategy to set the federal government on a course towards greater regulation of industries considered critical to national security.
The strategy is influenced by several major security incidents that threatened essential public services during the first year of the Biden administration and could lead to increased legal jeopardy for software developers.
The strategy reflects the rapid evolution of the threat landscape, noting that “malicious cyber activity has evolved from nuisance defacement, to espionage and intellectual property theft, to damaging attacks against critical infrastructure, to ransomware attacks and cyber-enabled influence campaigns designed to undermine public trust in the foundation of our democracy.”
Read below for key takeaways from the new White House cyber strategy and implications for enterprise security leaders.
Key Takeaways of the National Cybersecurity Strategy
The National Cybersecurity Strategy is centered on five core pillars:
- Defend critical infrastructure
- Disrupt and dismantle threat actors
- Shape market forces to drive security and resilience
- Invest in a resilient future
- Forget international partnerships to pursue shared goals
New Governance for Critical Infrastructure
One key aspect of the strategy is a call for new federal regulations governing critical infrastructure companies that are vulnerable to cyberattack, “tailored for each sector’s risk profile.” Already the oil and gas, aviation and rail sectors have more stringent regulations, and these would be extended to other sectors such as healthcare, which has recently experienced stepped-up ransomware attacks.
Increased Liability for Software Vendors
A second aspect is a White House commitment to work with Congress and industry to draft legislation that holds software vendors liable for security holes that can be exploited by cyber criminals and foreign governments. “Responsibility must be placed on the stakeholders most capable of taking action to prevent bad outcomes,” the strategy notes, “not on the end-users that often bear the consequences of insecure software nor on the open-source developer of a component that is integrated into a commercial product.”
The strategy is a policy document rather than law. It will likely face both intense industry lobbying and scrutiny in Congress, which could water down or eliminate some of its recommendations. For example, the oil and gas industry successfully rolled back earlier cyber regulations, calling them too onerous and unrealistic.
But the core tenets of the policy will remain, even if the details change. As a result, expect a tighter regulatory environment across multiple industries plus increased legal scrutiny of software firms that build cybersecurity products.
Get tips for navigating the evolving cybersecurity landscape — including the new White House cyber strategy — in the 2023 Cybersecurity Conversations Report.