Chapter 8: Reshape the Cyber Ecosystem Toward Greater Security
Denying adversaries benefits is crucial for successful layered cyber deterrence.
Today’s cyber ecosystem is more than technology. It’s also the people, processes, and organizations that plug into the technology and the data they combine to produce. This chapter is about lowering the risk of vulnerability by shifting the burden of security away from end users to owners and operators, developers, and manufacturers who can better implement security solutions at the appropriate scale.
There are five strategic objectives to push this pillar forward:
STRATEGIC OBJECTIVE #1: INCENTIVIZE GREATER SECURITY IN THE MARKETS FOR TECHNOLOGY
Currently technology companies are under market pressure to prioritize being “first to market” over security, an approach that passes risk on to other companies and individuals. Moving the markets for technologies toward greater security requires establishing clearer expectations and standards for what constitutes secure technology development and maintenance, thus allowing consumers to make informed decisions, as well as incentivizing supplies to build security into the development of the products they sell.
Key Recommendation: Congress should establish and fund a National Cybersecurity Certification and Labeling Authority empowered to establish and manage a program for voluntary security certifications and labeling of information and communications technology products.
Without accessible and transparent mechanisms (i.e. certifications) and labels (i.e. nutrition labels), consumers have a near impossible time comparing the security levels between products, thus making uninformed purchases. The problem stems from a whole chain of events: the lack of differentiation leads to a lack of demand for more secure products, thus leaving product developers with little to no incentive to promote security best practices while designing, testing, and developing their products. Congress should also identify and integrate with ongoing security efforts — building on existing efforts of the Department of Commerce.
Enabling Recommendations:
Create or Designate Critical Technology Security Centers
Expand and Support the National Institute of Standards and Technology Security Work
Key Recommendation 2: Congress should pass a law establishing that final goods assemblers of software, hardware, and firmware are liable for damages from incidents that exploit known and unpatched vulnerabilities.
As of now, there is no clearly defined duty of care for final goods assemblers in their responsibilities for developing and issuing patches for known vulnerabilities in their products and services. A duty of care law is needed, and should establish that assemblers of software, hardware, and firmware are liable for damages from incidents that exploit vulnerabilities that were known at time of shipment and/or discovered and not fixed within a reasonable amount of time. The duty of law would also establish expectations that final goods assemblers are responsible for producing security patches for as long as the product or service is supported.
Enabling Recommendation:
Incentivize Timely Patch Implementation
STRATEGIC OBJECTIVE #2: INCENTIVIZE BETTER ORGANIZATIONAL CYBERSECURITY
Encouraging more secure practices by users and organizations will help address the human and organizational aspects of national vulnerability. To do this, the US needs to build a greater statistical capacity to develop, test, and understand the effectiveness of good practices and standards, while using all available instruments to craft incentives to change behavior at a large scale.
Key Recommendation: Congress should establish a Bureau of Cyber Statistics charged with collecting and providing statistical data on cybersecurity and the cyber ecosystem to inform policy making and government programs.
Even though there’s a wide consensus that cyberattacks on the US are increasing, the US government and broader marketplace lack sufficient clarity about the nature and scope of these attacks to develop nuanced and effective policy responses. While the government has established agencies to address gaps in other policy areas (i.e. Bureau of Labor Statistics), the same hasn’t been done yet for cyberspace. Therefore, the Bureau of Cyber Statistics should be established to act as the government statistical agency that collects, processes, analyzes, and disseminates essential data on cybersecurity, cyber incidents, and the cyber ecosystem to the American public, Congress, other federal agencies, state and local governments, and the private sector.
Key Recommendation 2: Congress should resource and direct the Department of Homeland Security (DHS) to resource a federally funded research and development center to work with state-level regulators in developing certifications for cybersecurity insurance products.
Enabling Recommendations:
Establish A Public-Private Partnership on Modeling Cyber Risk
Explore The Need for a Government Reinsurance Program to Cover Catastrophic Cyber Events
Incentivize Information Technology Security Through Federal Acquisition Regulations and Federal Information Security Management Act Authorities
Amend the Sarbanes-Oxley Act to include Cybersecurity Reporting Requirements
STRATEGIC OBJECTIVE #3: EMPOWER ICT ENABLERS TO DEPLOY SECURITY ACROSS THE ECOSYSTEM
The US government should undertake efforts to better leverage the scale of information and communication technology (ICT) enablers in cybersecurity — both by empowering companies that can deploy security across the ecosystem and by incentivizing the adoption of the scalable security solutions they offer.
Key Recommendation: The National Cybersecurity Certification and Labeling Authority, in consultation with the National Institute of Standards and Technology, the Office of Management and Budget, and the Department of Homeland Security, should develop a cloud security certification.
Enabling Recommendations:
Incentivize the Uptake of Secure Cloud Services for Small and Medium Sized Business and State, Local, Tribal, and Territorial Governments
Develop a Strategy to Secure Foundational Internet Protocols and Email
Strengthen the US Government’s Ability to Take Down Botnets
STRATEGIC OBJECTIVE #4: REDUCE CRITICAL DEPENDENCIES ON UNTRUSTED INFORMATION AND COMMUNICATIONS TECHNOLOGY
The US should identify industries and technologies critical to national and economic security and take steps to reduce vulnerability at both macroeconomic and microeconomic levels. As technology supply chains have become more complex and global, the US has developed a growing dependence on suppliers that may come under malign influence, introducing vulnerability into the system. As a result, the US should develop a more robust capacity to identify and protect against untrusted suppliers.
Key Recommendation: Congress should direct the US government to develop and implement an information and communications technology industrial base strategy to ensure more trusted supply chains and the availability of critical information and communications technologies.
This strategy should focus on ensuring the availability and integrity of trusted components, products, and materials necessary for the manufacture and development of ICTs deemed most critical to national and economic security. During this effort, the US government should assess the ability of its current structure, resources, and authorities to inform, develop, and execute such a strategy and provide recommendations to strengthen them. This can be done by:
- Identifying and assessing critical dependencies
- Directing investments for ICT industrial capacity and trusted supply
- Directing strategic investments in research and development
- Amending the defense production act to enable an ICT industrial base strategy
Enabling Recommendations:
Increase Support to Supply Chain Risk Management Efforts
Commit Significant and Consistent Funding Toward Research and Development in Emerging Technologies
Strengthen the Capacity of the Committee on Foreign Investment in the US
Invest in the National Cyber Moonshot Initiative
STRATEGIC OBJECTIVE #5: STRENGTHEN NATIONAL SYSTEMIC DATA SECURITY
The security and privacy of American’s data should be substantially and systemically improved, especially as data becomes increasingly central to the modern digital economy and our everyday lives.
Key recommendation: Congress should pass a national data security and privacy protection law establishing and standardizing requirements for the collection, retention, and sharing of user data.
Specifically legislation should establish:
- National minimum common standards for the collection, retention, analysis, and third party sharing of personal data
- Definitions of personal data, to include that which can be linked, directly or indirectly, to individuals or households
- Timelines for deleting, correcting, or porting personal data upon request by the appropriate persons
- A clear mandate for the federal trade commission to enforce these standards with civil penalties
Enabling Recommendation:
Pass a National Breach Notification Law
- While these sorts of laws have been passed in some sense in all states and territories, there is no national standard. The law should:
- Establish a threshold for what would be considered a breach
- Sets standards and timelines for notifying victims
- Sets criteria that determine when victims should receive free credit monitoring or other data and identity protections
