Nervous About the National Cybersecurity Strategy in Nantucket

National Cybersecurity Strategy Nervousness in Nantucket

Dear Sloan,

I’m seeing a lot in the news about the National Cybersecurity Strategy rolled out by the federal government. While news sources have provided an overview of what it is, I haven’t been able to deduce what it actually means to me – and others – in my work as a software developer. 

What am I up against here? Should I change the way I do things?  

Thank you,

Nervous in Nantucket

Dear Nervous,

The National Cybersecurity Strategy calls to build and mature a digital ecosystem that is more resilient against cyber attacks. The Strategy frames two main fundamental shifts in how the United States will allocate roles, responsibilities, and resources in cyberspace: 

1. A call for cybersecurity liability and holding software providers responsible
2. Aligning incentives to favor long-term investments in cybersecurity

National Cybersecurity Strategy’s Impact on Software Development

You’re definitely right to take note of the Strategy as it will certainly impact your work as a software developer. 

The Strategy changes how organizations create and use software and calls for the implementation of protocols to ‘prevent bad outcomes’ and take full responsibility to protect consumers. It also details that legal liability can’t be pushed off on the “open-source developer of a component that is integrated into a commercial product.” 

The White House National Security Strategy also moves to hold accountable companies that collect massive amounts of information and then leave that information open to attackers with little recourse. Without regulation changes, the ramifications of these types of breaches can be huge for consumers, while the resulting lawsuits amount to a rounding error and a cost of doing business for these companies.

Brian Fox, co-founder and CTO of Sonatype, had an opportunity to review and provide feedback to the authors of the strategy. 

“…As I had the opportunity to read it, I was thinking, ‘Wow, this is really good. It’s really big. It’s encompassing.’ The preface sets out a pretty sobering reality of where we are in terms of threat actors from hostile nation-states. And then of course diagnoses what we’ve been talking about for a long time, which is the sad state of typical security in most software these days.” 

“And as I read through it,” he continues, “I immediately became a fan of like, ‘Yes, this is a very different way of approaching this — one that I don’t think has been really talked about much before.’”

So the goal is…perfection?!

Not exactly.

The Strategy does recognize that even a perfect security process can’t guarantee perfect outcomes, but vendors should no longer have the ability to disclaim any and all liability. 

Establishing the concept of safe harbors allows the industry to mature incrementally, leveling up security best practices in order to retain a liability shield, versus calling for sweeping reform and unrealistic outcomes as previous regulatory attempts have.

How to Prepare for the National Security Strategy

According to Fox, preparation can be divided into two parts:

1. “Incentivize the adoption of secure software development practices”, “Secure by Design” and “Secure from the Start”

Sonatype’s Platform helps organizations build secure software by identifying and remediating vulnerabilities early in the development process, enabling companies to ship software with no known open-source vulnerabilities, and mitigating liability issues down the line.

• Provides visibility and control over the open-source components and third-party dependencies used in software applications.
• Prevents malware from entering the software development environment, like no other solution on the market
• Automates security testing and implements continuous monitoring of software components throughout the development lifecycle.

2. “Promotion of the further development of SBOMs”

An SBOM is a formal list that details the third-party, open-source components that make up a software application.

• Try the Nexus Vulnerability Scanner to get your free SBOM

• Nexus Lifecycle integrates across your entire software supply chain and enables customers to automatically create SBOMs and receive actionable, remediation advice

Learn More, Relax, and Do the Right Things!

I encourage you to continue to read more about the National Cybersecurity Strategy and the Key Changes in Software Liability. Take your colleagues on a tour of the strategy with this National Cybersecurity Strategy Fact Sheet. 

Hopefully, these insights have minimized the panic a bit. I am firm in my belief that this is, indeed, a good thing, and industry leaders like Fox agree that this is a step in the right direction.  “The thing to keep in mind is that this is a strategy, not a regulation. It’s a call for work that would hopefully lead to some type of policy and regulation,” he says.

“It basically turns that table around again and says, ‘If you’re at least not doing the basics, you might be liable if something bad goes wrong.’”

…and that seems only right to me.

Best,

Sloan

~ Making Cyber a Safer Space