Trey Herr is the director of the Atlantic Council’s Cyber Statecraft Initiative.
Maia Hamin is an associate director with the Cyber Statecraft Initiative.
Will Loomis is an associate director with the Cyber Statecraft Initiative.
Stewart Scott Contributor
Stewart Scott is an associate director with the Cyber Statecraft Initiative.
The Biden administration’s 2023 National Cybersecurity Strategy identified structural shortcomings in the state of cybersecurity, calling out the failure of market forces to adequately distribute responsibility for the security of data and digital systems. Most prominently, the strategy seeks to “rebalance responsibility [for security] to those best positioned.”
Shortly after the strategy’s launch in March of this year, the Cybersecurity and Infrastructure Security Agency (CISA) kicked off an effort to “shift the balance of cybersecurity risk” by pushing firms to adopt security-by-design (SbD) practices, improving the safety and security of their products at the design phase and throughout their life cycle.
CISA director Jen Easterly’s announcement of these efforts appears to put CISA at the forefront of this rebalancing, addressing technology vendors’ incentives to underinvest in security through changes in how those firms design and deploy the products they sell. As the first substantive proposal from President Biden’s administration to effectuate this rebalancing since the launch of the strategy, the success or failure of the SbD initiative could be a bellwether for one of the strategy’s two fundamental ideas.
Success with SbD is at risk, however, both from the political challenges of implementing SbD practices and the threat of unrealistic expectations. This piece addresses both and highlights a path forward.
Political and structural headwinds
The politics of SbD implementation — which implicitly require a capacity to compel change in vendor practices, as well as the insight to design them — are treacherous ground for CISA, as the fast-growing agency is not a regulator. In time, it might become one, but current and past leadership insist that such responsibilities would be at odds with agency culture and its operational responsibilities.
The agency’s ability to support, build capacity, train, coordinate, and plan together with state, local, tribal and territorial entities, and industry stakeholders is rooted in its disposition as a trusted partner and neutral convener.
This means CISA should be only one of several federal agencies working to implement SbD, with cooperation from regulators like the Federal Trade Commission (FTC), a sharp and pointy complement to CISA’s open-handed approach. Otherwise, the SbD initiative could place CISA in a bind, trying to fix entrenched market incentive problems but without the ability to compel companies to act differently. CISA efforts to create accountability might undermine its attempts to generate goodwill.
Developing and defining a set of SbD practices that vendors can attest to, and that the U.S. government and other parties can verify or enforce, is a tremendous undertaking in and of itself. CISA must build SbD practices alongside an architecture for enforcement that sets clear roles for entities like the FTC, the Department of Defense, the Securities and Exchange Commission, and the General Services Administration.
The White House has responsibility here, too, and specifically the Office of the National Cyber Director, to guide this multi-agency effort within a strategy to manage the industry politics of shifting the incentives in this market — precisely what the office was designed, staffed, and organized to do. CISA’s focus must remain on enumerating and updating the essential SbD practices.
Just one piece of the puzzle
As we have argued before, “no strategy can address all sources of risk at once, but . . . silver bullets often trade rhetorical clarity for crippling internal compromises.” The SbD program could achieve deep, meaningful changes in how some of the largest technology vendors build services and products. Those changes would have material benefits for the security of every technology user.
However, cajoling all firms toward a comprehensive and uniform set of best practices is a fundamentally incompletable task.
Malicious actors perpetually seek new means of exploit; different sectors and system classes face different and unique challenges; and new technologies are prone to modes of failure, both new and unforeseen. Adopting certain new processes, rigorously enforcing them, and fixing existing incentives would still be a much-needed improvement over the current status quo.
However, adopting memory-safe languages or pushing large actors toward better risk management would not necessarily have prevented many significant vulnerabilities in recent memory, such as Log4Shell. To succeed, CISA will also need to understand how large technology companies build products and services — current industry practice is far from complete or perfect, but it is the baseline from which SbD hopes to drive change. Understanding that baseline is critical.
There is danger when rhetoric around shifting responsibility in cyberspace suggests that cybersecurity problems and challenges exist only because technology vendors cut corners or that all cybersecurity risk can be avoided by following a simple set of straightforward practices. The increasingly interconnected, dependent nature of software systems, as well as the variety of organizations and systems they connect to, creates risks all its own.
SbD is an important piece of managing this — the status quo of responsibility deferred to the user is broken — but describing SbD as a panacea risks creating backlash when insecurity inevitably persists.
It is clear CISA recognizes that success in SbD could be one of the most impactful policy interventions in cybersecurity in the last decade. It is also clear that the program, even in its most successful incarnation, will leave some problems unsolved. Specificity about the scope and goals of the program will help prevent its inevitable critics from distorting the debate into all-or-nothing terms.
Risk and opportunity
SbD — the first policy manifestation of the National Cybersecurity Strategy’s effort to shift responsibility — will not come about by sheer goodwill alone. CISA is not a regulator, and it must define a path for federal agencies that are regulators so that the implementation of SbD leverages the broader standards setting, enforcement, and regulatory powers of the federal government.
The growing and talented team at CISA have 18 months until January 2025, which will bring either the paralyzing tumult of transition or the still-chaotic maturation of a first-term administration into a second. The largest vendors that would participate in this program are not going anywhere and can afford to wait.
In this sense, CISA and the wider U.S. government’s cyber policy apparatus is on the clock. CISA must focus on the essential elements of SbD and organize, build, and engage with a clear deadline in mind. The clock is ticking.