The new national cyber strategy prompts a “long overdue” dialogue on incentives and liability, particularly regarding cloud and software, that should be pursued through multistakeholder engagements, according to Megan Stifel of the Institute for Security and Technology.
“The [Biden] strategy is bold in all the right ways and it carries forward priorities from previous strategies,” Stifel, chief strategy officer for IST and a former Department of Justice national security division attorney, said in an interview with Inside Cybersecurity. “I’ve been a fan of re-examining incentives and now is a good time.”
IST leads the Ransomware Task Force that issued a landmark policy report in 2021 and is hosting an event on May 5 to “assess against the 48 recommendations” in that report, Stifel said. The event will mark the second anniversary of the task force report.
Megan Stifel, Chief Strategy Officer, Institute for Security and Technology
In August 2022, IST issued a “Blueprint for Ransomware Defense” aimed at small and mid-sized businesses.
The group is also readying a paper on open source software, which Stifel said is “one of the places where we need to re-examine incentives.” The paper will emphasize that a legal safe harbor from liability “has to be accessible not just for the largest entities” under a “shared responsibility model,” Stifel said.
It will emphasize “the need to embrace frameworks” around software security, she said, and re-evaluate the scoring system for prioritizing risk mitigation efforts.
With the Biden administration’s new strategy beginning to frame budget and policy discussions, Stifel noted that providing funding for cyber has broad support. “Changing liability,” on the other hand, is “very different, there will be pain points.”
“But the conversation is long overdue,” Stifel asserted.
“The intent isn’t to be hard on cloud or software,” she said of the Biden strategy, and “it doesn’t paint either industry with a broad brush. In fact, they did a shoutout to Google and other companies.”
Now, Stifel said, the federal government should act as “a convenor” in pulling together stakeholders to develop a safe harbor that creates new liabilities as well as legal protections for software and cloud providers.
“It’s easier said than done,” she acknowledged, noting that this is a “complex space.”
The upcoming IST paper on software will look at measures such as Software Bill of Materials and vulnerability disclosure practices as some of the “right things” that companies could employ in order to earn liability protection under a safe harbor.
Implementation of the national cyber strategy “will be a challenge on some fronts but not all,” Stifel said.
Software liability is a high-profile issue that will test policymakers’ ability to develop a workable approach, she said, but there are other challenging issues such as advancing operational collaboration – which has become a touchstone for federal cyber officials – and additional capacity building in both the public and private sectors.
All of these will require funding, as well as attention to “longstanding relationships” and a focus on applying the “technical fixes” needed to “improve the internet for the future,” Stifel said.
The fixes, including practices to reduce vulnerabilities to distributed denial of service attacks, need to be implemented at scale domestically and internationally, Stifel said, which is a tall order.
“But don’t let that stop us from trying, the U.S. has a responsibility to lead,” she said.
“There remain gaps in the ability to achieve scale in operational collaboration,” she said, and IST is working with partners to “find additional insights to inform the national cyber strategy.”
IST will continue to focus heavily on counter-ransomware initiatives, Stifel said, observing that the U.S. and allies have “made progress but the number of attacks aren’t decreasing. The threat isn’t going away, it’s evolving.”
A new CISA pilot program on ransomware is “promising,” Stifel said. “The focus on notification to critical infrastructure is core to CISA’s mission. What’s key is ensuring the information is not siloed at CISA, they need to resolve barriers.”
Stifel underscored the progress on the task force’s recommendations while saying “the problem still exists.”
“There’s no turnkey solution, but if we leverage a number of solutions will see the risk and the impacts decrease over years,” Stifel said. “Keep having conversations, keep identifying gaps.” – Charlie Mitchell (firstname.lastname@example.org)