The White House has released a national cybersecurity strategy that seeks to make the digital ecosystem more resilient against hacking campaigns.
Officials outlined the strategy in a 39-page document published this morning. The document, which was created with input from more than 20 government agencies, has five primary sections.
One section focuses on making software companies more accountable for vulnerabilities in their products. Another calls for the creation of minimum software security standards in critical areas, such as the water infrastructure sector.
The three remaining sections of the White House’s new cybersecurity strategy each focus on a different priority. One priority is to “disrupt and dismantle threat actors” to prevent them from launching cyberattacks in the future. The two other sections emphasize investing in secure technologies and building international partnerships to tackle cyber threats.
For tech companies, the first of the strategy’s five sections may prove particularly impactful. It calls for the implementation of legislation that would make tech companies liable if they “fail to take reasonable precautions to secure their software.” Furthermore, the envisioned legislation would prevent large industry players from creating customer contracts that fully disclaim their liability.
“To be able to ‘invest in a resilient future’ and ensure this new cyber strategy is a success, technology providers will now have to make securing their applications a priority equal to speed to market,” said Amy Baker, a security education evangelist at Security Journey Inc. “To do so continuous secure coding training programs for the all the members of the SDLC is non-negotiable.”
The 39-page document that describes the White new cybersecurity strategy notes that “even the most advanced software security programs cannot prevent all vulnerabilities.” To address that situation, the White House will drive the development of a so-called safe harbor framework for tech companies. The framework will shield software makers from cybersecurity-related liability if they take necessary precautions while developing their products.
The third section of the new cybersecurity strategy could also have broad implications for the software industry. It asks regulators to establish minimum cybersecurity requirements for technology products used in critical sectors. “Regulations will define minimum expected cybersecurity practices or outcomes,” the strategy document states. There will also be rules to ensure that “systems are designed to fail safely and recover quickly.”
The fourth section of the strategy calls on the U.S. government to support research and development projects related to cybersecurity. The section places a particular emphasis on quantum computing, which has the potential to render existing encryption methods ineffective. To address that risk, the strategy calls for the federal government to prioritize the implementation of quantum-resistant encryption methods.
“The new landscape of quantum-related announcements and requirements from the federal government also creates urgency for many vendors and government contractors because those who are noncompliant will be named in reports and likely suffer reputational and economic consequences,” said Kaniah Konkoly-Thege, chief legal counsel and senior vice president of government relations at Quantinuum Inc., a quantum computing company.