Are you aware of the National Cybersecurity Strategy announced by the Biden-Harris administration on March 2, 2023? Well, if you develop software, you better be.
The goal of the strategy is for the U.S. Government to take the lead in creating a safe and secure digital ecosystem. To achieve this vision, the administration believes two fundamental shifts are required: a rebalancing of the responsibility to defend cyberspace and a realigning of incentives to favor long-term investment.
It is that first shift, rebalancing of responsibility, that will impact software developers.
The Five Pillars of the Cybersecurity Strategy
The idea behind the strategy is to “build and enhance collaboration around five pillars”:
- Defend critical infrastructure
- Disrupt and dismantle threat actors
- Shape market forces to drive security and resilience
- Invest in a resilient future
- Forge international partnerships to pursue shared goals
These five pillars are more than just suggestions. According to the National Cybersecurity Strategy publication, “The Federal Government will use existing authorities to set necessary cybersecurity requirements in critical sectors. Where Federal departments and agencies have gaps in statutory authorities to implement minimum cybersecurity requirements or mitigate related market failures, the Administration will work with Congress to close them.” In other words, expect regulations and laws to follow.
And while all of these pillars are an essential part of the overall strategy, it’s the third one, shape market forces to drive security and resilience, that will have a direct impact on software development.
Shape Market Forces to Drive Security and Resilience
The idea behind pillar three is to “shape market forces to place responsibility on those within our digital ecosystem that are best positioned to reduce risk.” And who are those best positioned to reduce risk? Hint: it’s not end users.
Shaping market forces is important to the administration because so far, it’s “clear that market forces alone have not been enough to drive broad adoption of best practices in cybersecurity and resilience. In too many cases, organizations that choose not to invest in cybersecurity negatively and unfairly impact those that do.”
Organizations that pay no price for developing cheap and vulnerable software will continue to do so. The administration intends to put an end to that. The idea is to “reshape laws that govern liability for data losses and harm caused by cybersecurity errors, software vulnerabilities and other risks created by software and digital technologies.” Translation: you will now have to pay a price for developing vulnerable software.
Another issue is liability. “Software makers are able to leverage their market position to fully disclaim liability by contract, further reducing their incentive to follow secure-by-design principles.” To combat this, the administration intends to “shift liability onto those entities that fail to take reasonable precautions to secure their software.” Once again, it will cost you to develop vulnerable software.
How to Avoid Developing Vulnerable Software
The best way to avoid deploying vulnerable software is to identify and mitigate vulnerabilities before you deploy it. And the best way to do that is with threat modeling. In fact, that’s the purpose of threat modeling: identify and mitigate vulnerabilities in software prior to deployment. You could say that threat modeling is the cheat code for the new National Cybersecurity Strategy.
If you’d like to learn more about threat modeling and aren’t sure where to start, try ThreatModeler. ThreatModeler is an automated threat modeling platform whose tagline is literally Secure by Design. Don’t wait for the new laws to take hold. Start developing secure software today.