The National Cybersecurity Strategy, like other recent government measures, aims to create market incentives that would create a secure-by-design model, and it marks one of the bolder plans put out by the White House in shifting the onus in security toward manufacturers. While “secure-by-design” may seem like a simple concept, it will be an assiduous undertaking from both government agencies and from private sector organizations; manufacturers have not historically implemented practices to develop products securely from the beginning, due to a number of reasons, including added costs, time-to-market constraints or lack of education.
To get a better sense of the extent to which manufacturers should be responsible for the security of their products, the ONCD is being tasked with developing a software liability framework through working with Congress, the private sector, academic researchers and others. This will be spearheaded through a legal symposium that will explore different ideas for the framework by the second quarter of 2024. The ONCD will also develop materials to encourage the use of federal grants in aiding manufacturers to build in various security measures.
Internet of Things (IoT) devices, known to be insecure, are another top focus, and the plan includes initiatives for changing Federal Acquisition Regulation requirements for connected devices and for creating a U.S. government IoT security labeling program. Other initiatives pertain to coordinated vulnerability disclosure, federal cyber insurance and funding for security research.
“The principles of secure-by-design really reflect the shift in the strategy toward asking… the biggest and most capable players to do more to drive security in the ecosystem, rather than asking all the small players to meet the security demands themselves,” said Tom McDermott, deputy assistant secretary for Cyber, Infrastructure, Risk and Resilience Policy at the DHS.