Shifting Accountability to Tech in New National Cybersecurity Strategy

The White House released an official National Cybersecurity Strategy as part of the current administration’s efforts to strengthen our nation’s approach to cyber defense. Specifically, the strategy emphasizes a need to shift the burden of cybersecurity. This blog will discuss where the responsibility of security currently lies and how the new strategy could alter the chain of accountability in the future.

Bearing an Inequitable Burden

Our extensive and still rapidly growing interconnectedness—accelerated by the explosion of cloud services, mobile devices, and Internet of Things (IoT)—is exposing our organizations to costly systemic risks. In last year’s Cost of a Data Breach Report, the average cost of a data breach in the United States was at $9.44 million. 

As if the astronomical costs of cyber attacks weren’t enough, the cyber threat landscape has also gone from bad to worse. In addition to the usual threat actors, we now face adversaries who are vastly more equipped, skilled, and funded than even the most notorious cybercrime gangs. Countries like China, Russia, Iran, and North Korea have become more aggressive in perpetrating cyber attacks that cause widespread disruptions and massive financial loss. 

Ironically, our expectations of cybersecurity for cloud providers, software vendors, data center operators, and other large enterprises are the same as for individuals and small businesses, who lack the resources and know-how to fend off highly sophisticated, and now nation state-funded, cyber attacks. How can an organization armed with only a firewall and an outdated antivirus thwart, for instance, zero-day attacks and AI-synthesized malware? 

This inequitable burden is unfortunately a systemic issue. In a recent interview, our own CEO, Tony Scott, shared an anecdote from his stint as Federal CIO during the Obama administration. He said he used to joke back then that the Marine Mammal Commission had the same cybersecurity requirements as the Department of Defense (DoD) despite having much fewer resources to meet those requirements compared to the DoD. 

Why should this inequity concern us? Well, our interconnectedness can enable a cyber attack at one organization (poorly-defended or not) to kick off a domino effect that may affect other organizations directly and indirectly associated with that first victim. The Clop ransomware gang’s zero-day attack on GoAnywhere MFT early this year, for example, is believed to have already affected at least 130 organizations worldwide, including the City of Toronto, Saks Fifth Ave, and Hitachi Energy. Companies across the globe use GoAnywhere MFT to carry out secure B2B file transfers with trading partners, so it’s possible for an attack on one organization to spread to others.  

If we continue relying on individuals and small businesses to provide the same level of cybersecurity as large organizations, we all run the risk of being defeated. To address this issue, one of the goals the National Cybersecurity Strategy set forth is the rebalancing of responsibility for cybersecurity. Efforts to counter cyber threats have to be more effective and equitable. 

How the Strategy Aims to Rebalance Responsibility and Accountability in Cybersecurity

The new Cybersecurity Strategy aims to shift a bulk of the responsibility currently resting on the shoulders of individuals and small businesses to the large organizations who build, service, own, or operate the systems where our data and business processes reside. In a way, the new strategy is rightfully shifting cyber risk reduction efforts not only to those who are more capable of effecting it, but also to where those efforts can make greater impact.

For instance, we all know social media, search, and other tech companies hold the vast majority of personal data. And yet when a data breach happens, it’s the customers who suffer disproportionately. Some citizens even lose their life savings. To rectify this mistake, the new strategy is calling for legislation that will impose more stringent limits to the wholesale collection and storage of data as well as more rigorous requirements for securing the data in question. 

The strategy also calls for legislation that will hold software vendors liable for developing insecure products. This will minimize the rampant practice of churning out software products plagued with vulnerabilities, which eventually put users in harm’s way. 

To implement these changes, the Biden-Harris Administration will be taking a carrot and stick approach. While the strategy is predictably pushing for cybersecurity regulations characterized by stringent security measures, it’s also promoting incentives that will encourage stakeholders to invest in cybersecurity.

Among the types of incentives mentioned are federal grants for investments in critical infrastructure that are designed, built, and maintained in accordance with cybersecurity best practices. Funds from these grants will be accompanied by technical assistance as well as other forms of support. In addition, the government is also expected to offer tax credits, procurement preferences, and other attractive incentives. 

The combined effect of regulatory requirements and government incentives should both compel and encourage the stewards of our data and providers of critical infrastructure to take on more cybersecurity responsibility than what they currently hold. 

Facing the Challenge

While this long-overdue National Cybersecurity Strategy is certainly a big step towards improving the United States’ overall cybersecurity posture, the path to successful implementation won’t be easy. The recent massive layoffs in tech are bound to put additional strain to an already overloaded cybersecurity workforce, which in turn, is going to make it difficult for organizations to pursue new cybersecurity projects. 

To answer the call of this new strategy, companies must be prudent in improving their own cybersecurity posture. Since the talent shortage is one of the biggest obstacles, organizations must find ways to beat the cybersecurity skills gap first. 

Despite the looming challenges ahead, Tony Scott has a positive outlook. He compares the current scenario to the quality crisis in manufacturing that American companies faced and fixed in the 1980’s. The US government addressed the crisis by enacting the Malcolm Baldrige National Quality Improvement Act of 1987, which motivated companies to improve the quality of their goods and services. 

Scott said, “We need that same focus when it comes to quality in software and telecom and compute…” adding that, “We just can’t be tolerant of accepting the status quo … Cybersecurity is hugely too costly to every man, woman, and child and every business in the country, and it should be intolerable.”

Indeed, just as we fixed the quality crisis back then, we should be able to fix this cybersecurity problem now. As long as we work together, it can be done.