2023 White House National Cybersecurity Strategy Guidance
National Cybersecurity Strategy Key Themes
Software providers and data owners held responsible under cybersecurity liability
Realigned long-term investment in cybersecurity will have a focus on the future
A drive to invest in security resilience starts with every digital ecosystem
Coordinated vulnerability disclosures and SBOMs are still a best practice. Get your SBOM below.
What is the White House National Cybersecurity Strategy?
The Biden-Harris Administration’s National Cybersecurity Strategy calls to build and mature a digital ecosystem that is more resilient against cyber attacks. The Strategy frames two main fundamental shifts in how the United States will allocate roles, responsibilities, and resources in cyberspace:
- A call for cybersecurity liability and holding software providers responsible
- Aligning incentives to favor long-term investments in cybersecurity
How does the National Security Strategy impact software development?
The Strategy calls for future change around how organizations create and use software. They need to employ rigorous methods to ‘prevent bad outcomes’ and take full responsibility to protect consumers.
It also details that liability can’t be pushed off on the “open-source developer of a component that is integrated into a commercial product.” Changing the dynamics of accountability is the only way to drive the proper outcomes, but it’s just the beginning of a much larger shift in secure development.
Whilst The Strategy recognizes that even a perfect security process can’t guarantee perfect outcomes, vendors should no longer have the ability to disclaim any and all liability. Establishing the concept of safe harbors allows the industry to mature incrementally, leveling up security best practices in order to retain a liability shield, versus calling for sweeping reform and unrealistic outcomes as previous regulatory attempts have.
The White House National Security Strategy also moves to hold accountable companies that collect massive amounts of information and then leave that information open to attackers with little recourse. Without regulation changes, the ramifications of these types of breaches can be huge for consumers, while the resulting lawsuits amount to a rounding error and a cost of doing business for these companies.
How can you Prepare?
Sonatype is in a unique position to help you and your organization get ready.
We are regarded as highly trusted domain experts with unparalleled years of experience in this space. Over the years, we have been invited to advise on government legislation and strategy, including this one. Specifically, secure software development and the open source implications.
Two Key Areas of Preparation:
1. "Incentivize the adoption of secure software development practices", "Secure by Design" and "Secure from the Start"
Sonatype’s Platform helps organizations build secure software by identifying and remediating vulnerabilities early in the development process,enabling companies to ship software with no known open source vulnerabilities, mitigating liability issues down the line.
- Provides visibility and control over the open source components and third-party dependencies used in software applications.
- Prevents malware from entering the software development environment, like no other solution on the market
- Automates security testing and implementing continuous monitoring of software components throughout the development lifecycle.
2. "Promotion of the further development of SBOMs"
An SBOM is a formal list that details the third-party, open source components that make up a software application.
- Try the Nexus Vulnerability Scanner to get your free SBOM
- Nexus Lifecycle integrates across your entire software supply chain and enables customers to automatically create SBOMs and receive actionable, remediation advice
Need help to mitigate liability? Submit the form below.
Get a free assessment of your software supply chain posture.
"This is a landmark moment for the industry, signaling a nuanced understanding of the threats and complexity of today’s cyber landscape."
Experts discuss software liability and National Cybersecurity Strategy