SAN FRANCISCO — The White House is crafting a roadmap to guide the implementation of the national cybersecurity strategy that it is set to release early this summer, Acting National Cyber Director Kemba Walden said Tuesday during a discussion with journalists at the RSA Conference.
The strategy, framed around principles, was developed to have a 10-year shelf life. The dynamic and evolving nature of cybersecurity requires flexibility as new threats or technologies emerge, Walden said.
“The devil’s in the implementation planning process,” Walden said. “It’s really going to be who’s accountable for what, who’s responsible for what in the policymaking process, in the sort of sausage factory of the government.”
Walden, who was elevated to the position in an acting capacity following the retirement of her predecessor Chris Inglis in February, has been out front and center following the release of the White House’s national cybersecurity strategy in early March.
She wants everyone to thrive in the digital ecosystem but she feels a sense of urgency in making sure the underpinnings of that vast landscape are secure and safe.
“Even as we’re trying to put our policy heads together and make policy, we can still do things. We can still drive,” Walden said.
“My whole journey at the Office of the National Cyber Director has been building a plane as I learn how to fly and then flying it. That’s just how it is,” Walden said.
Regulation, including efforts to raise minimum cybersecurity requirements, is one of many levers the federal government may need to pull to strengthen defenses and shift responsibility for security to technology vendors.
The near-term outlook for regulation, however, doesn’t look promising.
“I don’t think we’re ready for a software liability regime from the White House into Congress now,” Walden said.
Conversations with stakeholders, including software developers, lawyers and members of Congress are underway.
Walden hasn’t met a single person that opposes the White House’s cybersecurity goals, she said, but disagreements over how to address gaps in regulation and effect some of the changes outlined in the national cybersecurity strategy are likely.
“I am not at all worried that Congress is not going to work with us,” Walden said. “I think reasonable minds can disagree on certain things, but we can get to a place where we have common ground and can move forward.”
Shifting responsibility to tech vendors
The most obvious, and perhaps challenging, component of the strategy involves a push to pin the responsibility for security on software, hardware and platform providers.
“The word easy doesn’t show up in the strategy at all,” Walden said, describing the responsibility shift as hard but necessary.
“We may need congressional support to do it,” Walden said. “I don’t have the answers yet, but there seems to be common ground at this point that software liability is one of the tools that’s reasonable to use in order to incentivize the shift in responsibility.”
This collective push from the White House, ONCD and the Cybersecurity and Infrastructure Security Agency has not had unanimous support, Walden said. Some vendors have pushed back on the secure-by-design and secure-by-default principles.
“We got some heartburn, [but] nobody was caught off guard,” Walden said. “We’ve been talking about this on the edges for a while.”
Conversations with stakeholders occurred early in the White House’s efforts to craft the strategy, according to Walden.
Cybersecurity authorities and the White House are assessing what’s required and how far it can go in achieving this responsibility shift.
While large tech vendors have the wherewithal to prioritize and deliver better security in their products, smaller outfits and open source communities will be hard pressed to keep up.
“I understand the importance of open source to our tech innovation and I want to foster that, but at the same time I want to protect people from shoddy code,” Walden said.
While the end goal is the same regardless of size, the security burden will likely be greater for big technology companies.
“I am pushing as hard and as far up as I possibly can,” Walden said. “I’m trying to push it as far up the chain as possible. It’s going to stop at different points. There’s going to be sort of a graduated set of responsibilities as you move up.”
Despite those nuances and concerns shared by some vendors, most of the tech industry is on board and supporting the effort, according to Walden.
“We’re all sort of moving in that direction now,” Walden said. “Are we all at the same shoot-for-the-moon that I’m at? Some of us are, but some have landed at the stars.”