The Biden administration plans to forge ahead with the hard work of implementing the ambitious goals of the national cyber strategy, which aims to shift much of the responsibility for developing a more resilient national infrastructure onto the technology industry.
Administration officials will need to work with stakeholders across private industry, Congress and the academic world to find the most effective and efficient means to reorganize the cyber ecosystem. The end goal is for software developers, computer manufacturers and cloud services providers to work together to create a new supply chain that develops safer and more resilient products.
“The biggest and most capable and best-positioned actors in our digital ecosystem can and should shoulder a greater share of the burden for managing cyber risk and keeping us safe,” Kemba Walden, acting national cyber director, said at a forum hosted by the Center for Strategic and International Studies Thursday.
Phil Venables, CISO at Google Cloud, said the national cyber strategy was a recognition of the role that modern cloud technologies play. Last month, Google publicly backed efforts by the Biden administration to promote more secure practices at the front end of development.
“We take our responsibility as one of the world’s largest tech providers very seriously – and agree that increased collaboration between companies like Google and the public sector is critical,” Venables said in a statement.
Microsoft said it was pleased to see the publication of the cyber strategy, in a tweet from Tom Burt, corporate vice president of customer security and trust.
Burt said the company looked forward to the opportunity to sit down for a constructive dialogue with the ONCD, other agencies and Congress regarding the recommendations in the report.
Katell Thielemann, VP analyst at Gartner, said the administration correctly points out the technology industry needs to move away from a speed to market approach in favor of developing more secure product design.
However serious questions remain about how such authorities will be developed and enforced.
“Currently, beyond the power of the federal purse, where would authorities come to compel a shift to secure by design/secure by default for private industry technology providers?” Thielemann said via email.
Congress would have to legislate, legislators would have to invoke new authorities granted to them (for example the FDA and medical device makers) or lawsuits lasting for decades would have to establish failures such as duty of care, Thielemann said.
Cyberspace Solarium Commission co-chairs Sen. Angus King, I-Maine, and Rep. Mike Gallagher, R-Wis., said the newly released strategy includes key priorities laid out by the Cyberspace Solarium Commission, including a more resilient national infrastructure, investing in federal agency network security and enhanced public-private collaboration.
“The strategy lays out a strong argument for regulating or incentivizing the cybersecurity of key infrastructures, to include the cloud computing sector,” King and Gallagher said in the statement. “It also acknowledges the need to harmonize existing regulations in sectors where there are too many straws stirring the drink.”