#supplychainsecurity Regulatory Requirements EO14028

Three Quick Takeaways from Biden’s National Cybersecurity Strategy

By Eric Byres on March, 2 2023

Back

NOTE: We were going to publish our second blog of the S4x23 SBOM Challenge today. However, the new National Cybersecurity Strategy was released this morning, and we thought that dissecting it for our readers took priority. We’ll go back to the S4x23 SBOM Challenge discussion next week.

There is a lot to unpack and there is even more to read between lines in the Biden Administration's new National Cybersecurity Strategy. Let me lay out the three things that stood out on my first read.

The real threat: The Biden administration is acknowledging that the real cybersecurity threat is from hostile nations and not your average cybercriminal. While attacks from cybercriminals are common in everyday news, skilled actors operating out of foreign intelligence agencies will be responsible for any big disasters, especially against our critical infrastructures. Two-thirds of the section titled Malicious Actors (page 3) focuses on calling out China, Russia, Iran, and North Korea as the sponsors of the most damaging cyber attacks of the past five years. The gloves are off and the US government is now setting its sights on defending the nation from the true threat.
OT security is finally getting the attention it deserves: While the attention started with EO14028, the government is now recognizing that OT is not the same as IT (or IoT) and protecting these systems is critical to the well-being of the western world. And they understand that many of the OT systems deployed today will need to be replaced — on page 13 the document notes:

The Federal Government must replace or update IT and OT systems that are not defensible against sophisticated cyber threats.

The section goes on to say:

The plan will identify milestones to remove all legacy systems incapable of implementing our zero trust architecture strategy within a decade.

Now for the moment, this applies only to federal systems, but — as has become blindingly obvious — any rules laid out for federal agencies will apply to the public sector in short order. What's this going to mean for all the legacy equipment out there in industrial environments cheerfully communicating over Modbus?

More regulation is coming: The strategy recognizes that

…market forces alone have not been enough to drive broad adoption of best practices in cybersecurity and resilience.

Regulations and changes in liability law will be used to encourage technology providers, especially for critical infrastructure, to do the right thing. Taking shortcuts and embedding 3rd-party code of questionable provenance into products is going to have consequences.

At the same time, the government wants to help those companies that do try to ship a secure product:

…the Administration will drive the development of an adaptable safe harbor framework to shield from liability companies that securely develop and maintain their software products and services.

In addition to drawing from

current best practices for secure software development, such as the NIST Secure Software Development Framework,

the strategy calls for this safe harbor to

evolve over time, incorporating new tools for secure software development, software transparency, and vulnerability discovery.

Increasing transparency and building trust in our industry has been the goal of aDolus since its formation in 2017. I believe that FACT can help companies secure moorage in this "safe harbor” by providing software transparency and vulnerability discovery at scale.

Eric Byres

Eric is widely recognized as one of the world’s leading experts in the field of OT, IT and IoT software supply chain security. He is the inventor of the Tofino Security technology – the most widely deployed OT-specific firewall in the world. When not setting the product vision, or speaking at a conference, Eric can be found cranking away on his gravel bike.