The Biden administration’s new National Cybersecurity Strategy suggests it will take a thorough approach to understanding what authorities currently exist to regulate critical infrastructure sectors of the economy and what cybersecurity gaps there are, and also work with regulators, industry and Congress to close these gaps, officials from an association representing information technology companies said last Friday.
However, until these reviews are done, it’s unclear whether new cybersecurity regulations will be necessary or even effective, John Miller, general counsel and senior vice president of policy, trust, data, and technology at the Information Technology Industry Council (ITI), said during a webinar hosted by the association to discuss the National Cybersecurity Strategy.
The National Cybersecurity Strategy was issued on March 2 and it diverges from the most recent strategy in areas such as making a greater effort to establish minimum cybersecurity requirements for critical infrastructure entities, and shifting liability for software security onto the companies building and selling software.
Miller said a positive highlight of the strategy is the acknowledgment that existing regulations and new ones need to be streamlined and harmonized, something industry and ITI have “long called for in the cyber arena.”
“The strategy acknowledges that new regulations are not without cost and encourages regulatory agencies to consult with regulated entities to better understand how these proposed regulations may impact resources and those sorts of decisions,” he said.
Gordon Bitko, ITI’s executive vice president of policy, echoed Miller’s comments and also highlighted that the strategy sticks with the ongoing commitment by the current and previous administrations to work with “a lot of stakeholders” on any regulations. However, Bitko said he hopes the forthcoming implementation plan for the strategy shows an understanding that the stakeholder community does deeper than just the regulated entities and asks what the objectives are and how regulations will achieve these, what is expected from government and from industry.
The implementation plan is expected in the coming months, administration officials said last week.
Administration officials, particularly Cybersecurity and Infrastructure Security Agency Director Jen Easterly, have been stressing the need for software products to be secure-by-design, meaning developed and finished with security as a core feature instead of waiting until products are already on the market and vulnerabilities are frequently discovered and patched. The strategy hopes to incentivize this outcome by imposing liabilities on the companies building and selling the software.
But where the cut line should be between the companies that may be subject to liabilities and those that won’t is yet to be determined and will be difficult to sort out.
Miller said that based on his reading of the strategy it will be companies with “market power” that are liable for secure software. He also said that there is an “underlying premise” in the strategy that “bigger companies are somehow cutting corners and not using appropriate software assurance practices.”
But, he pointed out, there isn’t any evidence or data that supports this assumption. He also said whatever the cut line is, a $1 billion company or a $5 billion company, their products will probably cost more but below the line you get “cheaper software that might contain more vulnerabilities.”
Here again, the implementation plan will be important, Miller said.
Bitko said that that the liability effort will be “really difficult to implement,” agreeing with Miller that entities that are below the cut line won’t “have to comply with good software practices.”