Introduction by ISA President Larry Clinton
The reality is that we are losing the fight to sustainably secure our cyber networks – and losing badly. This means we need to change the way we have been approaching the issue. That begins by stopping the blame game focusing on the victims of cyber-attack and beginning to do the hard work of rebalancing the economics of cybersecurity.
The proposal released by Cybersecurity and Infrastructure Security Agency (CISA) “Shifting the Balance of Cybersecurity Risk: Principles and Approaches for Security-by-Design and -Default. and Pillar Three of the Biden Administration’s National Cybersecurity Strategy: “Shape Market Forces to Drive Security and Resilience” begin to move us in the right direction – but it’s going to take some hard work to turn these sentiments into practical reality.
This is the first of three blogs discussing the implementation plan’s proposal for secure by design (SDD). The key is to balance SDD implementation while simultaneously promoting innovation and competition.
The core CISA approach aligns with the long-standing ISA belief that, while private entities ought to take reasonable security precautions, that the more fundamental issue how do we rebalance the economics in which all the incentives favor the attackers so that enhanced cybersecurity is coordinated with the market economy under which the USA operates.
CISA is correct in noting the current economic model for the development of hardware and software — i.e. get your product to market as quickly as possible and fix security issues later with patches and updates – does not provide adequate security. However, altering that model carries substantial risk as it is the innovation of the IT community that is largely responsible for much of the economic and defense progress we have achieved over the last 25 years.
CISA argues that building software security into the design process prior to developing, configuring, and shipping products, manufacturers can create technology that is safer, more secure, and more resilient against cyber intrusions.[i] That may be true, however if that process elongates the design process and limits the utility of the products these steps may make the products uncompetitive in the international market – no one wants laptops that cost $10,000 and are slow and no one will buy.
Recently CISA, held a “listening session” with the ISA board of directors including presentations from companies representing the IT software and cloud services sectors, the Defense Industrial Base, the financial services sector and the energy utility sectors examining how best to implement these ideas going forward and proposes. That process has produced seven general principles as a basis for future discussion on how to implement this strategy. Theos seven tentative principles are:
- Security, unlike compliance, is not an end state but a varying stage of development. As a result, whatever secure by design/default program is created it needs to be understood as a continuous improvement process not a one-stop solution.
- A secure by design/default policy must follow an over-arching risk management approach that appreciates the need to reduce technical vulnerabilities as co-equal with the need for promoting US innovative supremacy and the economic vitality of private industry operating in a market economy.
- There are, and will be, costs to enhancing hardware/software security by design and default. These costs will need to be clearly understood and woven into future policy. Moreover, these costs need to be jointly borne by providers, consumers and government.
- Creating technically less vulnerable hardware and software is both possible and practical. However, this new paradigm will only be sustainable if the economic and innovative dimensions of the unique economic models’ critical infrastructures operate in are properly understood and addressed.
- There are several existing examples of viable business plans and structures that do already generate products secure by design and demand. These models can, and need to be studied, and adapted to enable wider use of the best practices that generate more secure products.
- A persistent issue in creating a more secure by design/default paradigm is the lack of adequate economies of scope and scale for smaller players. Government must work collaboratively with industry to find novel ways to provide incentives for smaller firms to manage costs as well as incentives for larger players to share technologies and practices with smaller entities. This may entail the need for new, more flexible, and egalitarian public private structures to be created.
- Creating a secure by design/default model would cause a dramatic shift in the fundamental economic model for hardware and software development. As a result, implementing a paradigm that addresses cyber risk empirically in both its technical and financial terms is required. The traditional checklist of operational mandates does not take these factors into account and hence will need to be replaced with modern cyber risk assessment models that balance operational requirements with business economics.
FOR GREATER DETAIL ON THE ISSUES DISCUSSED IN “TWENTY-FIVE STEPS TO IMPROVING SECURITY WITHOUT NEW REGULATIONS” SEE FIXING AMERICAN CYBERSECURITY: CREATING A STRATEGIC PUBLIC-PRIVATE PARTNERSHIP (GEORGETOWN UNIVERISTY PRESS 2023).
[i] “Security-by-Design and -Default: CISA.” Cybersecurity and Infrastructure Security Agency CISA, June 12, 2023. https://www.cisa.gov/resources-tolls/resources/secure-by-design-and-default.