In March, the U.S. government released a new Cybersecurity Strategy authored by the Office of the National Cyber Director.
Split into five Pillars and 27 Strategic Objectives, the strategy lays out a bold vision for defending critical infrastructure, dismantling threat actors, shaping market forces to drive security, investing in a resilient future and forging international partnerships. If fully implemented, this strategy will present businesses in the contracting space with the challenge of increased scrutiny and higher security standards, but also the opportunity to compete for orders and grants aimed at bolstering the nation’s critical digital infrastructure.
The strategy includes several areas of interest for the government contracting community, with the potential for increased funding for various projects as well as the possibility of additional regulation and enforcement.
One section, for example, discusses using federal grant programs to incentivize the creation of critical digital infrastructure. Another expands on the ways that the government could “leverage federal procurement to improve accountability,” but also calls for increased enforcement of security requirements for vendors that sell to the Federal Government. Finally, one provision outlines plans to “reinvigorate federal research and development for cybersecurity” through a variety of federally funded research and development centers.
‘Zero Day’ vulnerabilities
The most controversial section calls for holding software companies liable for producing insecure code. While the exploitation of “Zero Day” vulnerabilities has reached an all-time high in recent years, resulting in sweeping impacts across industry and government, the idea of holding the companies liable for the production of insecure code is a major departure from previous norms. Some have questioned whether the strategy contains enough details to be adequately implemented, while others noted that this objective could reshape how the entire government procures software.
In an effort to emphasize this shift in thinking, the Cybersecurity & Infrastructure Security Agency along with several international partners published Secure-by-Design and -Default Principles in April. This guidance was intended to drive a cultural change in how the technology community views vulnerable software and shift the burden of security onto technology manufacturers.
As part of the rollout for this new way of thinking, the Director of CISA, Jen Easterly, noted in a speech at Carnegie Mellon University that the concept of Secure-by-Design and -Default was intended to shift the burden away from consumers and small businesses and onto the major technology companies. This means that if fully implemented, major tech companies like Microsoft and Google would bear a greater degree of responsibility than the average government contractor, particularly companies classified as small businesses.
Shifting the burden of responsibility is controversial because up to this point major software development companies have assumed that if they continue to identify and patch vulnerabilities, they will be immune to most negative consequences. In fact, Microsoft has institutionalized the idea of routinely releasing updates and fixes to their software to the point that “Patch Tuesday” has been an industry staple since 2003.
However, as threat actors continue to exploit more zero-day vulnerabilities than ever before, the need for secure software has never been greater. 2021 saw the largest number of zero-days exploited in history, with state-sponsored actors leading the way. So far in 2023, criminal ransomware groups have leveraged critical vulnerabilities leading to hundreds of millions of dollars in ransom payments.
In July 2023, the ONCD published a National Cybersecurity Strategy Implementation Plan providing timelines, responsible agencies, and specific guidance for many of the objectives laid out in the strategy. The plan, for example, put the Office of Management and Budget in charge of implementing Federal Acquisition Regulation changes required under Executive Order 14028 by the first quarter of FY24, and called for the Office of Science and Technology Policy to work with a variety of grant-making agencies to prioritize investments in “memory safe programming languages.”
‘Secure by Design’
Neither of these provisions came with fresh funding for implementation. Strikingly, the “Secure-by-Design” provision had one of the weakest implementation plans in the entire document, calling for ONCD to host a legal symposium by the second quarter of FY24 to “explore different approaches to a software liability framework.”
Ultimately, how federal dollars are allocated over the next few Fiscal Years will determine the true impact of the new strategy and implementation plan. While it appears that offices like ONCD and CISA are pushing for dramatic shifts in the cybersecurity landscape, their lack of regulatory and budget authority may hamper the implementation of those plans.
If fully implemented, the strategy would have a net positive effect on the government contracting space by increasing federal investment in secure technology development and reducing vulnerabilities in major software that all government contractors use. It is too soon to tell whether this bold vision for the future can truly become a reality.