The US National Cybersecurity Strategy Through A Product Security Lens

The US National Cybersecurity Strategy Through A Product Security Lens

The Biden administration has been increasing cybersecurity efforts signaling industries, such as automotive, medical devices, critical infrastructure, and others, that regulations are about to be tightened on product security. The US National Cybersecurity Strategy presented a unifying idea of cooperation between private and public sectors focusing on assessing and securing the internet and connected devices on a global scale. 

There are 5 main pillars discussed in the bill and covered in the US National Cybersecurity Strategy 2023 Product Security Takeaways, they are:

Pillar one: Defend critical infrastructure

The administration sees how much our society has become dependent on technology– from monitors, sensors, IoT devices, and beyond. Everything is now connected to the internet. 

The internet is a patchwork of various levels of security and Untrustworthy open-source components, all stacked upon each other like a dangerous house of cards. The first pillar of the bill lays the groundwork for a more resilient technology infrastructure that’s not only effective today but also in the future. The bill states that “Regulating security requirements can level the playing field, enabling healthy competition without sacrificing cybersecurity or operational resilience.” 

While the government acknowledges the private sector can manage most of the cyber attacks on its own, they intend to offer an additional layer of support in the form of central threat sharing, such as with CISA’s RVWP, and shielding companies from legal consequences, as long as they follow government product development guidelines. In essence, the strategy calls for all relevant branches of the Federal Government to work alongside industry experts to enable better communication and swift action. 

One of the biggest takeaways from this pillar is that the administration intends to help the private sector and individual citizens protect themselves against cyber attacks. Digging into the “how” next.

Pillar two: Disrupt and dismantle threat actors

Looking beyond its borders, the US is looking to protect the global internet.

This new bill goes beyond the US borders as America plans to work together with its allies around the globe until cyber-criminal organizations will deem their activities unprofitable. The administration promises to go after threat actors, as long as the private sector uses its expertise to deter them by minimizing vulnerabilities. But the lack of documentation and a transparent mindset makes mitigating vulnerabilities slow. Such was the case during the infamous 2021’s Log4j vulnerability, which caught Chief Product Security Officers (CPSOs) and Product Security Incident Response Teams (PSIRTs) off guard. 

Pillar three: Shape market forces to drive security and resilience 

This part of the document puts manufacturers and Tier-N suppliers of connected devices in the spotlight, holding them accountable. This is the only actionable pillar in the strategy. It points out the problematic trend of undocumented components that are currently embedded in countless vehicles, medical devices, industrial equipment, and other systems that are mission-critical.

The government’s new bill shifts the liability of the risky components to the manufacturers of insecure software products and services. Suppliers and manufacturers will have to recognize that shipping products and using software that contains known vulnerabilities are not acceptable practices. If they want to be taken seriously by the Federal Government and benefit from all that comes with it, they will need to address all known vulnerabilities in their software before being delivered to customers. 

The administration points to SBOMs as the obvious solution. An up-to-date global directory of SBOMs that reflect what lies inside each product, model, variation, and even each component. This kind of directory can help the private sector rapidly detect risky components, communicate and patch vulnerabilities, or detect a potentially risky supplier who can’t be accountable for reducing software supply chain risk

The US government envisions this as a global directory of SBOMs managed by the private sector. While managing a growing amount of SBOMs across all components and versions is challenging, a proper SBOM management strategy is necessary if companies want to comply. Those who are willing to provide comprehensive data on SBOMs will be brought under protection from the government. The main idea of a global SBOMs directory is fast scalable intelligence sharing and victim notification to ensure maximum protection for the economy and the people. 

The bill acknowledges small and medium-sized companies that lack the resources to validate every component by recommending a federal cyber insurance backstop to help stabilize a company or the economy, should a major attack occur. With the growing use of software in medical, automotive, and critical infrastructure devices, we must do everything in our power to build a safe interconnected network we can trust together. The next pillar addresses this point in detail.

Pillar four: Invest in a resilient future

While news of successful cyber attacks make global headlines nearly daily, the US government clearly states its active intervention to prevent attacks from individual players, hacking groups, and state-backed hacking organizations. 

Pillars 4 and 5 lay out the resources, agreements, and collaborative strategies the Federal Government plans to expand:

  • Knowledge sharing– To allow better collaboration between private organizations and  the government
  • Accountability– Each vendor will be responsible for delivering a secure product and each manufacturer will be responsible to ensure that the component is secure on its own and as part of the greater system.
  • Ecosystem-focused– Driving market forces toward a common goal (i.e, securing our cars, medical devices, and critical infrastructure) will be simpler within a flourishing ecosystem. 
  • Everyone doing their part– Each side will need to make good on their responsibilities if the strategy is to be successful.

By building an underlying structured and secure digital ecosystem that frustrates the efforts of cyber crime we pave the way for more resilient cyber security. 

Pillar five: Forge international partnerships to pursue shared goals

Investing in these five pillars is not only about addressing the problems of today but to lay the groundwork for protection into the future.

Despite its powerful position, the US government can’t secure the global system on its own. That’s why partnerships with countries in North America, South America, Europe, and Asia are critical in ensuring America’s security. The core idea of the bill is to eliminate poor product security practices, reduce response times, and create a more trustworthy internet. The execution of this utopian cyber infrastructure requires global cooperation and collaboration. 

Are SBOMs really the key?

The 5 pillars of the national Cybersecurity strategy make it clear the Federal Government is not playing games when it comes to the cyber security of its citizens.

Software Bills of Materials are a foundational single source of truth. The private sector can use it to identify and contain the spread of malicious software, while the government can use it to:

  • Keep vendors accountable
  • Inform impacted parties of direct threats
  • Ensure that no vulnerabilities enter government systems
  • Manage vulnerabilities 

Manufacturers’ action items

Ultimately, the strategy demands that Congress act to use SBOMs as the foundation of America’s product security future. Time will tell if these companies are ready to partake in the future of secured device security but one thing is clear– transparency is inevitable whether companies want to generate SBOMs or not.

The action item manufacturers should take away from this strategy is to bring their product security operations into order. This means streamlining SBOM management, implementing ongoing vulnerability detection, and having the plan to communicate vulnerabilities to all relevant stakeholders.