A recent report from the Cyberspace Solarium Commission (CSC) includes detailed plans for guiding cybersecurity policies in the United States, which the commission feels is necessary to prevent catastrophic fallout from breaches and attacks for corporations and citizens alike.
The report, released to the public in early March, embraces recommendations based on six pillars that the commission feels will help the United States implement a strategic approach to defending the country against cyberattacks “of significant consequences.” These pillars include:
- Reform the U.S. Government's Structure and Organization for Cyberspace
- Strengthen Norms and Non-Military Tools
- Promote National Resilience
- Reshape the Cyber Ecosystem
- Operationalize Cybersecurity Collaboration with the Private Sector
- Preserve and Employ the Military Instrument of National Power
Section 4.2 of the report caught our eye as it pertains to the private sector and supply chains, both of which are lacking a stipulated working relationship with the government. Part of this sweeping initiative includes an effort to ensure that companies that are assembling and selling software, hardware, and firmware are ‘liable for damages from incidents that exploit vulnerabilities’ known at the time of shipping goods and not fixed in a reasonable period.”
This, the commission says, would establish a ‘duty of care’ in law to make final goods assemblers responsible for producing security patches that cover products for the duration of their life and support needs—or for a year after the most recent patch release.
Why did the commission feel this effort is important? According to the report, “To date, there has not been a clearly defined duty of care for final goods assemblers in their responsibilities for developing and issuing patches for known vulnerabilities in their products and services, the timeliness of those patches, and maintaining a vulnerability disclosure policy.”
It’s essential that organizations are covering their bases to keep their products secure. Implementing these regulations would be a huge leap forward in lessening the fallout from inevitable cyberattacks.
Chris Wysopal, Chief Technology Officer and co-founder of Veracode, explains: “We have long known how to build more secure systems and many market leaders do build this way, but it is often impossible for the customer to understand if they are getting secure software with strong security maintenance backing it up or a lemon where the vendor will drag their feet issuing patches. Standards and transparency can give customers and regulators a choice.”
Transparency is critical here. A mandate from the Federal Trade Commission would ultimately make it easier for end-users and buyers to understand how companies find, record, disclose, and retain vulnerabilities—including the disclosure of known and unpatched vulnerabilities.
One of the potential recommended incentives for encouraging organizations to better handle patches includes placing a cap on insurance payouts for cybersecurity incidents involving unpatched systems. As we know well, these incidents are often very expensive and disruptive to business. The key is getting ahead of application security and preparing the best plan of attack for known and unknown vulnerabilities.
If this law (and other regulations in the report) take effect, companies will need to be much more proactive about how they handle security. Sending out software with vulnerabilities could mean a financial death sentence if organizations are not thorough about patching vulnerabilities and sending this information to their customers.
Becoming a security-minded organization starts with shifting left. Incorporating security processes early and often reduces risk and can even help train developers to code more securely at the start of a project. Down the road, that saves businesses from damaging liability and fines that so often come from unnecessary breaches.