Earlier this month, the White House released their National Cybersecurity Strategy, demonstrating a heightened focus in the highest levels of government on securing our digital interactions, which, as we’ve seen with recent attacks on critical infrastructure, have tangible impacts on the real world.
At DigiCert, we’re excited to see these issues considered and have long championed the need for establishing digital trust in many of the areas that the White House Strategy addresses. Here are a few of my takeaways from the strategy and what product developers should keep in mind moving forward.
One of the key points in the National Cybersecurity Strategy is that the responsibility of cybersecurity rests primarily with developers and manufacturers.
The White House fact sheet on the strategy announcement notes, “We must rebalance the responsibility to defend cyberspace by shifting the burden for cybersecurity away from individuals, small businesses, and local governments, and onto the organizations that are most capable and best-positioned to reduce risks for all of us.”
I’ve shared before that cyber is a shared responsibility and that consumers should have the right to assume the security of products they purchase. However, individuals still have some responsibility and will need to use best practices like MFA, secure WIFI and rotating passwords.
But developers and manufacturers should hold the lion’s share of responsibility for cybersecurity, as they are “most capable and best positioned” to implement digital trust, which has become more apparent as the industry has matured.
This discussion of responsibility for security reminds me of growing up in an era when seatbelts were optional, but they are now required by law for the safety of passengers. Now that all our critical infrastructure has software on it, it’s no longer an option for security to be an afterthought in the manufacturing process. Manufacturers must ensure that security is baked into the entire development of products and software, or else they could be held responsible for vulnerabilities.
Putting it another way, would you risk buying a car from a manufacturer that didn’t test the product safety and share that information with you? Or what about a new drug that wasn’t designed and tested with safety in mind? If you are hesitant to buy other products that aren’t secure by design, then why not apply that to IoT devices that may be in your home, car, office or on your person?
Just as carmakers and drugmakers are held liable for their products, I believe developers and manufacturers involved in the design and production of smart critical infrastructure should be held liable for the security of the devices, code and any data those devices collect and store.
What that liability looks like in the United States will still be determined, but it’s likely to include financial consequences. Additionally, it’s clear that manufacturers need to be prepared and ahead of the game. There is an urgency for companies to do more with digital trust for their software and to take more responsibility for cybersecurity.
We’re seeing similar regulations putting responsibility on manufacturers furthered in other markets as well. For instance, the EU Cyber Resilience Act puts more liability on IoT device manufacturers, leading to massive fines and penalties for noncompliance. This act will give consumers more purchasing power and trust in their devices and more transparency about the security of what they’re purchasing.
The White House also mentions IoT security labels: “Through the expansion of IoT security labels, consumers will be able to compare the cybersecurity protections offered by different IoT products, thus creating a market incentive for greater security across the entire IoT ecosystem.” There have been efforts underway for IoT security labels in multiple countries including Singapore, Finland and the EU. Labelling that discloses security details about devices would further empower consumers the same way that nutrition labels on food products empower them to make well-informed purchases.
This shared move across governments to pass regulations for software and IoT development makes sense and will hopefully create a trusted global supply chain where, as the National Cybersecurity Strategy states, “like-minded nations counter threats to our digital ecosystem through joint preparedness, response, and cost imposition.”
The White House Strategy comes at a time where the case for digital trust, or providing confidence that our digital interactions are secure, has never been clearer. The internet is evolving, and so is our threat landscape. As stated in the strategy, “As we build a new generation of digital infrastructure, from next-generation telecommunications and IoT to distributed energy resources, and prepare for revolutionary changes in our technology landscape brought by artificial intelligence and quantum computing, the need to address this investment gap has grown more urgent.”
Unfortunately, security has all too often been an afterthought for IoT devices. There has been high demand for manufacturers to bring their products to market, and it’s led to devices and software that is infamously full of vulnerabilities. On top of that, threats have been evolving, and we will see even more tools for attackers in the future using AI, post-quantum computing and other emerging technologies.
Thus, security needs to be baked into the way connected products are designed, built, tested, deployed and operated. This regulation that is shifting liability is a great step forward to holding developers and manufacturers accountable for failing to bake security into the design of their products.
At DigiCert, we have solutions designed to help developers manage trust in their software and devices. DigiCert® Software Trust Manager helps organizations stand up and manage processes around software vulnerability scanning and software signing. Software Trust Manager is a digital trust solution that protects the integrity of software across the software supply chain, reducing risk of code compromise, enforcing corporate and regulatory policy and delivering fine-grained key usage and access controls in code signing. It provides a flexible and scalable way to ensure code signing best practices like code scanning, rights and access management and key rotation.
DigiCert® Device Trust provides a diverse digital trust platform for IoT that enables organizations to establish, extend and maintain device trust globally. Device Trust brings together DigiCert® IoT Trust Manager and DigiCert® Embedded Trust Manager into an integrated portfolio.
IoT Trust Manager is an automated solution to manage identity over all devices by providing authentication, encryption and integrity to connected IoT devices. IoT Trust Manager embeds and manages device identity at scale, supporting a broad range of certificate types and enrollment methods, meeting the diverse security needs and form factors of the connected device market.
Embedded Trust Manager mitigates the complexities of managing security across the device lifecycle, allowing the customers to avoid building complex in-house security applications.
Furthermore, both Software Trust Manager and Device Trust are built on DigiCert® ONE, the platform for digital trust, which can be deployed on-premises, in-country or in the cloud to meet stringent requirements, custom integrations and airgap needs. It deploys extremely high volumes of certificates quickly, using a robust and highly scalable infrastructure.
I applaud the government for taking a more proactive approach in what’s needed to build a more cyber-resilient future. I also warn developers that they need to start adapting their practices now so that they are prepared for the regulations coming.