On March 3rd, the White House released its National Cybersecurity Strategy. The document aims to tackle five key pillars, one of which is a fundamental challenge at the heart of the industry: “Shape market forces to drive security and resilience.” In this pillar, the strategy aims to take on what is commonly known as cybersecurity’s third rail: a liability shift from users to software manufacturers. The strategy purports to use a combination of sticks and carrots to shift the current misalignment of incentives, where organizations that invest in secure software are at a disadvantage in both speed and cost to organizations that do not.
I’ve been talking about this challenge my whole career. The current state of best practice is to comply with broad cyber security standards and frameworks that may, but in practice, often do not adequately address software security. In 2021, when president Biden issued an executive order citing software security, I was excited to see a significant first step. The release of the NIST Secure Software Development Framework (SSDF), which finally meant an industry-wide standard around secure software, was a significant related development. The EO applies to software manufacturers who sell to the US federal government. Shifting liability to manufacturers is much broader reaching.
The ramifications of adopting security in the software process are huge and will be costly. Software liability has been so thorny because producing 100% secure software is practically impossible. Thankfully, the strategy introduces the concept of a safe harbor, where organizations can shield themselves from liability by following established best practices, such as those in the SSDF. In doing so, they are following the pattern already established by other standards like the Payment Card Industry (PCI) Software Security Framework (SSF), where organizations can attest to their security by following a Secure Software Lifecycle approach.
The impending changes will force companies to move away from a testing-only strategy and incorporate more robust security throughout the development process. It will also necessitate audit trails where they don’t usually exist, such as in software design. Security-by-design was the topic of focus by Cybersecurity and Infrastructure Security Agency (CISA) Director Jen Easterly in a recent address at Carnegie Mellon University.
Inevitably, some people will look at this proposed strategy and wait to react. After all, proposing and passing legislation through congress is likely years away. This approach would be a mistake. From our experience, the act of changing software processes across a company to integrate security in every phase can take years since it involves process, behavior, and skill changes. Now that the possibility of software liability has been opened, governments worldwide will take notice, and other countries will pass liability laws even if the US does not. Retrofitting old code into the new process will be onerous; the right time to start planning is right now.
If you’re looking to start with the NIST SSDF, take a look at our whitepaper.