Acting National Cyber Director Kemba Walden said the national cybersecurity strategy has been well received, however acknowledged there were areas of disagreement.
Walden speaking Tuesday at a forum hosted by The Software Alliance, also known as BSA, said there are two major areas of common ground that form the basis of the policy. Individual technology users, small businesses, local governments and small infrastructure providers like schools and hospitals are currently bearing the brunt of the cybersecurity risk — and that needs to change.
“Cybersecurity risk is in the wrong place,” Walden said. “I think that’s an area of common ground.”
Secondly, the U.S. is currently engaged in a game of Whac-A-Mole with malicious actors and the country needs to work together to make sure systems can be properly defended.
Walden said her main concern regarding the national cyber strategy is to make sure the U.S. can build a more resilient digital ecosystem.
A variety of different threats come in on a daily basis, but the U.S. needs to be able to build a system that can withstand malicious activity regardless of where the threat is coming from, according to Walden.
“Are we making the right strategic investments, not just in the federal ecosystem, but for the nation, and enabling that resilience?” Walden asked during the interview with Victoria Espinel, CEO of The Software Alliance.
Walden said a key priority at her office is to help drive cohesion among the various federal agencies that share a common goal to drive cybersecurity policy.
Dozens of U.S. agencies have cybersecurity as part of their focus, including sector risk management agencies that deal with various critical infrastructure priorities.
The White House contains various bodies responsible for cybersecurity, including the National Security Council, the National Economic Council and the Office of Science and Technology Policy. The FBI, National Security Agency and the Cybersecurity and Infrastructure Security Agency each play key roles from an operational perspective.
The key is to make sure all the various agencies work together to achieve a more cohesive cybersecurity posture, Walden said.
While a more united message and strategy is considered important, Walden emphasized the administration’s push to engage with the private sector to get more input on cybersecurity policy and information sharing.
“It’s not lost on me that industry owns and controls most of our critical infrastructure. Full stop,” Walden said. “So there’s no way we can execute a national cybersecurity framework without industry.”
The administration needs private industry to effectively act as a frontline to counter malicious cyber activity, noting the private sector can “see ransomware coming” far before the government knows about many of these attacks, Walden said
Private industry, Walden said, has been working “shoulder-to-shoulder” on issues like shifting software liability, adding this is going to be a multi-stakeholder, multiyear process.
While much of the public response from the software industry has been positive, there are concerns raised about the potential legal liability facing developers and others for products that fail to meet security standards.
Much of the dialogue has centered around creating some type of safe harbor mechanism to provide some additional protections.