Will Biden’s National Cybersecurity Strategy Trigger AppSec Change?

Every federal administration for the past 20 years has issued a cybersecurity strategy, so in one sense the National Cybersecurity Strategy issued by the Biden administration on March 2, 2023 is not unexpected. The big difference, however, lies in the recommendations: For the first time, the government is pressing for regulatory mandates on key industry sectors that control wide swathes of critical infrastructure nationwide.?

The question is, how quickly will this high-level strategy translate to granular change far downstream, where applications are actually built and secured??

Let’s just say it will take a while.

We see a couple of likely roadblocks ahead.

1. Turning strategy into law is slow work.

The Biden administration’s strategy calls for “fundamental changes to the underlying dynamics of the digital ecosystem,” and lays out five pillars through which to do so:?

1. Defend Critical Infrastructure?

2. Disrupt and Dismantle Threat Actors?

3. Shape Market Forces to Drive Security and Resilience

4. Invest in a Resilient Future

5. Forge International Partnerships to Pursue Shared Goals

That first pillar is of particular interest, as it could result in regulations requiring minimum cybersecurity measures for companies that provide critical infrastructure, and potentially impose liability on firms that fail to secure their code. This is good news — we’ve been calling for the equivalent of an FDA for software safety for some time now. However, given the regulation-resistant makeup of the current House of Representatives, passing comprehensive legislation looks like a tall order. Instead, the Biden administration is “using existing authorities to set necessary cybersecurity requirements in critical sectors.” For example, the administration used the Transportation Security Administration to establish regulations in oil and natural gas pipelines, aviation, and rail. It worked with the Environmental Protection Agency to do the same with water systems. But not everything is regulated, particularly newer tech industries such as cloud computing. Where there are gaps, the Administration plans to get legislation passed, and that’s going to take a while.?

2. Developers are set up to fail AppSec.

The ‘shift left’ mantra has morphed into increasing developer responsibility for application security. Recent research from ESG Research found that most organizations (68%) have turned to developer-focused security products to shift some responsibilities to developers. That creates several issues.?

Most application developers are currently set up to fail when implementing application security. First, most developers’ goals and incentives don’t include security, which doesn’t give developers much reason to prioritize it. Second, developers are not systemically equipped to understand the security of the software packages they use or to easily understand and fix all the issues that come their way. Small wonder, then, that it takes an average enterprise 271 days to fix critical vulnerabilities with less than 10 percent of vulnerabilities fixed before going into production — and these are often well-resourced organizations.

Keep reading ?? https://go.mend.io/3y3Ofz0