In yesterday’s blog, (LINK) we highlighted the Biden Administration’s positive step towards rebalancing the economics of cybersecurity. By shifting the narrative away from “blaming the victim” of cyberattacks, we are moving in the right direction to creating a market economy of products with cybersecurity embedded in their very design.
However, this won’t be easy. For many companies this could mean a fundamental shift in their core business plan. Given the fact that virtually our entire economy is now dependent on the vary hardware and software products that are the target of this initiative, there could be substantial risks.
Fortunately, there are a number of companies who have been implementing secure by design and default (SDD) practices for years now – long before CISA or the Biden Administration published their proposals.
Recently, the Internet Security Alliance’s board of directors conducted a “listening session” for DHS in which leading companies representing the IT software and cloud services sectors, the Defense Industrial Base, the financial services sector and the energy utility sectors described how SDD might impact their operations. Based on these conversations, a set of ten best practices for SDD emerged.
We don’t want to reinvent the wheel although we may need to redesign it. Here is a good place to start:
- Safeguard open-source code resources: CISA needs to work with open-source consortiums like OpenSSF to help guide businesses to exchange secure code.
- Encourage consumers to adopt best practices: CISA should determine the most effective approach to ensure consumers are following best practices like regularly adopting and implementing software updates and patches.
- Build confidential channels for information sharing between CISA and industry: Designate a platform where partners from the public and private sectors can confidentially discuss pertinent challenges and share best practices.
- Adopt a “shift left” philosophy in development: Organizations can ensure maximum efficiency in the development process by monitoring and testing for defects as soon as possible – simultaneously creating a more secure product.
- Promote software indemnification: Vendors are more likely to prioritize cybersecurity in their products if they bear some of the financial risks of product failure. Software indemnification would spur innovation in cybersecurity by protecting creative solutions to cyber issues.
- Reform the CMMC scoring method for government contracts: Revise the scoring system to include proportional scoring, practice substitution, weighted scoring, and resource sharing to create further incentives for SMBs and support more nuanced decisions by the government and prime contractors.
- Harmonize regulation: The OMB should require that any new proposed regulation must be accompanied with the finding from the regulatory agency that it is not redundant with any existing regulatory requirement.
- Revamp a united cybercrime response: The government should work with industry to reform cybercrime fighting initiatives. We must streamline the process to build resilience into our collective response.
- Incentivize energy companies to invest in cybersecurity: This needs to begin with designating one governing body that instructs energy companies which cybersecurity policies they need to be investing in. The governing body should then implement several tiers of Federal cybersecurity investment tax (FCIT) credits to incentivize businesses to adopt best cybersecurity practices.
- Continually evaluate implementation status: Policies must be treated as a continuous improvement process, NOT a one-stop solution.
FOR GREATER DETAIL ON THE ISSUES DISCUSSED IN “TWENTY-FIVE STEPS TO IMPROVING SECURITY WITHOUT NEW REGULATIONS” SEE FIXING AMERICAN CYBERSECURITY: CREATING A STRATEGIC PUBLIC-PRIVATE PARTNERSHIP (GEORGETOWN UNIVERISTY PRESS 2023).