The Biden administration’s 2023 National Cybersecurity Strategy has identified significant structural shortcomings in the state of cybersecurity, particularly concerning the distribution of responsibility for data and digital system security. The strategy aims to rebalance this responsibility to those best positioned to address cybersecurity challenges effectively. One of the key initiatives to achieve this rebalancing is the adoption of security-by-design (SbD) practices, which focus on improving the safety and security of products at the design phase and throughout their life cycle.Led by the Cybersecurity and Infrastructure Security Agency (CISA), the SbD initiative is a crucial step toward incentivizing technology vendors to prioritize security in their products. The success or failure of this initiative will be a litmus test for the effectiveness of the broader National Cybersecurity Strategy.While the SbD initiative shows promise, it also faces several challenges that could hinder its effectiveness. One major hurdle is the political landscape, as CISA is not a regulatory agency, making it difficult to enforce changes in vendor practices. To address this, the initiative must involve multiple federal agencies, including regulatory bodies like the Federal Trade Commission (FTC), to complement CISA’s approach and create a more comprehensive strategy.Developing a set of SbD practices and defining clear roles for enforcement entities will be a massive undertaking. CISA needs to work alongside other agencies, such as the Department of Defense, the Securities and Exchange Commission, and the General Services Administration, to establish accountability and verification mechanisms. The Office of the National Cyber Director also plays a critical role in guiding this multi-agency effort to navigate the complex politics of shifting market incentives.It is essential to recognize that while SbD can drive meaningful changes in how large technology vendors build products, it cannot address all cybersecurity risks comprehensively. The constantly evolving threat landscape and diverse system challenges necessitate a more nuanced approach. SbD should be viewed as a valuable improvement over the current state, but not a one-size-fits-all solution.To succeed, CISA must understand how technology companies currently build products and services, as SbD aims to drive change from the existing baseline. Rhetoric around shifting responsibility should not oversimplify cybersecurity challenges or absolve users of their role in ensuring security.The success of the SbD initiative hinges on specificity regarding its scope and goals. This clarity will prevent critics from distorting the debate and expecting a panacea for all cybersecurity issues. While SbD represents a significant step forward, it will not solve every problem in cyberspace.To ensure the success of SbD, CISA must define a path for federal regulatory agencies to leverage their standards-setting and enforcement powers. Shying away from government enforcement could undermine the voluntary nature of the program.CISA’s window of opportunity is limited, and its focus must remain on the essential elements of SbD. The agency must engage with a clear deadline in mind, as the clock is ticking. The challenge lies in organizing and building an effective framework that can withstand the test of time and drive meaningful change in the cybersecurity landscape.In conclusion, the SbD initiative represents a pivotal effort to shift responsibility for cybersecurity to those best equipped to address it. However, it must overcome political and structural hurdles to achieve its objectives. With a clear strategy, collaboration between federal agencies, and realistic expectations, the SbD program can significantly enhance cybersecurity practices and safeguard digital systems for years to come.
Subscribe to our mailing list to get the new updates!
October 20, 2023
October 20, 2023