White House publishes National Cybersecurity Strategy. Should you care?

The White House recently released its National Cybersecurity Strategy, providing a road map for how the administration aims to defend the U.S. from a rapidly growing number of online threats.

Let’s take a moment to see what it is, to identify any immediate impact, and to consider how it may change the way we do business with some of our software vendors in the future?

First, to read what is in the strategy document, please go here.

The strategic roadmap attempts to address the security challenges faced by individuals and organizations across the country, including government. The authors also call-out the challenges our economic and social systems present — finding agreement around issues, accountability, rules, regulations and more. But the document does not shy away from the need to find answers and implement solutions (there will be much discussion, disagreement, push-back, and more; but the debate is healthy). And regarding the area of accountability, the authors appear to believe that we have little hope of improving upon our situation if we don’t assign responsibility and accountability to those individuals and organizations best positioned to “fix what is broken.”

Why might the act of assigning accountability matter to you? If you have spent any time addressing your organization’s cybersecurity challenges, you know the feeling of helplessness that comes from recognizing how little you can do “on your own” to protect against the growing onslaught of cyberattacks. Seemingly everything we do today includes software written by others, performing operations we know too little about, that leave our organizations exposed to attacks by malicious actors. The Administration says something must change. They aren’t the only ones who think that.

Can the effort to assign responsibility to software makers make a difference? The strategy calls for legislation establishing liability for software makers that fail to take reasonable precautions to secure their products and services. They might have simply written “we see you, software developers.”

The proposed framework thus involves shifting the burden of cybersecurity from individuals, small businesses and local governments and putting responsibility in the hands of software developers and other institutions with the requisite resources and expertise. I’m not surprised by this — having previously written about the National Security Agency’s recommendation for software developers to fix their memory safety issues – NSA-calls-for-software-developers-to-fix-memory-safety-issues. It’s clear federal cybersecurity experts recognize the role played by software developers in both creating problems and in “possibly” fixing them. The NSA made recommendations. The Administration is proclaiming they want to pursue requirements.

“The president’s strategy fundamentally reimagines America’s cyber social contract,” said Acting National Cyber Director Kemba Walden. “It will rebalance the responsibility for managing cyber risk onto those who are most able to bear it.” Walden added, “the biggest, most capable and best-positioned actors in our digital ecosystem can and should shoulder a greater share of the burden for managing cyber risk and keeping us all safe.” She said that laying responsibility on individuals and groups who lack the resources to protect themselves is both “unfair” and “ineffective.”

Does any of this impact how you work with, or will work with, your software vendors? It certainly will impact your institution in multiple ways IF software developers are held to account. We will see developers focusing more resources on their specific offerings (both as stand-alone applications and as part of your broader enterprise deployments). And we will see industry-wide efforts to promote, even police, more secure offerings. After all, software talks to software.

But even if it takes years for such responsibility to be placed on software developers, there are things we as credit union cybersecurity leaders can do today to recognize the developers’ “role and responsibility” to deliver more secure solutions to us.

Credit unions can hold third-party software developers accountable for the security of the software they sell (right now) in a number of ways (some of which you may already be doing):

1. Contractual obligations: Credit unions can include specific contractual obligations in their agreements with third-party software developers that mandate the developer takes responsibility for the security of their software. This can include clauses that stipulate the developer is responsible for any security breaches that occur as a result of their software.
2. Compliance standards: Credit unions can require third-party software developers to comply with specific security standards and protocols, such as those set by the Payment Card Industry Data Security Standard (PCI DSS) or the National Institute of Standards and Technology (NIST). These standards can be used as a benchmark for evaluating the security of the software. There is much to be done here, and much more to be asked of software developers.
3. Regular audits: Credit unions can regularly audit the security of the software provided by third-party developers to ensure that it meets the required standards. This can include conducting vulnerability assessments and penetration testing to identify potential weaknesses in the software. Credit unions should be looking to work together to define the tools and make them available.
4. Information sharing: Credit unions can collaborate with other financial institutions and industry groups to share information about security issues related to third-party software (this could include CUSOs or newly formed groups focused on this subject). This can help identify potential vulnerabilities and allow for a coordinated response to security incidents.

The recent White House cybersecurity roadmap may turn out to be more wish list than action plan, but it makes clear the role software developers play in our cybersecurity challenge. And with or without national rules and regulations credit unions will be held to account for their managed cybersecurity efforts and they must ensure that they are taking appropriate steps to hold third-party software developers accountable for the security of their developed software. This won’t be easy. But it’s time has come.