Will Biden’s National Cybersecurity Strategy Trigger AppSec Change?
Every federal administration for the past 20 years has issued a cybersecurity strategy, so in one sense the National Cybersecurity Strategy issued by the Biden administration on March 2, 2023 is not unexpected. The big difference, however, lies in the recommendations: For the first time, the government is pressing for regulatory mandates on key industry sectors that control wide swathes of critical infrastructure nationwide.
The question is, how quickly will this high-level strategy translate to granular change far downstream, where applications are actually built and secured?
Let’s just say it will take a while.
We see a couple of likely roadblocks ahead.
1. Turning strategy into law is slow work.
The Biden administration’s strategy calls for “fundamental changes to the underlying dynamics of the digital ecosystem,” and lays out five pillars through which to do so:
1. Defend Critical Infrastructure
2. Disrupt and Dismantle Threat Actors
3. Shape Market Forces to Drive Security and Resilience
4. Invest in a Resilient Future
5. Forge International Partnerships to Pursue Shared Goals
That first pillar is of particular interest, as it could result in regulations requiring minimum cybersecurity measures for companies that provide critical infrastructure, and potentially impose liability on firms that fail to secure their code. This is good news — we’ve been calling for the equivalent of an FDA for software safety for some time now. However, given the regulation-resistant makeup of the current House of Representatives, passing comprehensive legislation looks like a tall order. Instead, the Biden administration is “using existing authorities to set necessary cybersecurity requirements in critical sectors.” For example, the administration used the Transportation Security Administration to establish regulations in oil and natural gas pipelines, aviation, and rail. It worked with the Environmental Protection Agency to do the same with water systems. But not everything is regulated, particularly newer tech industries such as cloud computing. Where there are gaps, the Administration plans to get legislation passed, and that’s going to take a while.
2. Developers are set up to fail AppSec.
The ‘shift left’ mantra has morphed into increasing developer responsibility for application security. Recent research from ESG found that most organizations (68%) have turned to developer-focused security products to shift some responsibilities to developers. That creates several issues.
Most application developers are currently set up to fail when it comes to implementing application security. First, most developers’ goals and incentives don’t include security, which doesn’t give developers much reason to prioritize it. Second, developers are not systemically equipped to understand the security of the software packages they use, or to easily understand and fix all the issues that come their way. Small wonder, then, that it takes an average enterprise 271 days to fix critical vulnerabilities with less than 10 percent of vulnerabilities fixed before going into production — and these are often well-resourced organizations.
And third, the responsibility for application security ultimately belongs to the company, not individual developers. Management has to learn that huge amounts of technical debt mean insecure applications, which greatly increase business risk. That’s where the big changes have to come. Not just shift left in development and developer enablement, but shifting the responsibility to the actual company, the ones that control the resources. If a company wants secure code, it’s on them to put in place standards, enforce them across business owners and development teams, and invest in the tools and training that enable security and developers to work smarter to fix application security issues. We can make application security more automated and provide less work for developers. We must better leverage dependency health to dramatically reduce the attack surface of application security and invest in less manual workflows.
We are not there yet, but we can automate the remediation of the vast majority of issues so developers only have to focus on a small list that requires special attention. That must be the focus going forward or we should expect major obstacles in how this proposed strategy can be achieved in practice.