New White House cyber strategy takes aim at software manufacturers

The White House’s newly released cybersecurity strategy has outlined a suite of goals that aim to make cyberspace inherently more secure. It comes at a time where ransomware threat actors run rife, making hundreds of millions of dollars every year while they hit thousands of businesses across the world with their encrypting malware. Many of these attacks are the result of poor security practices by the impacted organisations and bugs in software provided by companies.

This new strategy replaces a 2018 strategy created under former President Donald Trump. The Trump administration’s four pillars were noticeably patriotic, with ‘America’ earning it’s place in the title of three of the four pillars:

1. Protect the American People, the Homeland, and the American Way of Life
2. Promote American Prosperity
3. Preserve Peace through Strength
4. Advance American Influence

Biden’s replacement pillars are as follows:

1. Defend Critical Infrastructure
2. Disrupt and Dismantle Threat Actors
3. Shape Market Forces to Drive Security and Resilience
4. Invest in a Resilient Future
5. Forge International Partnerships to Pursue Shared Goals

The administration is positioning to hold software manufacturers liable if they ship products with reckless security standards. A notable quote from the 35-page long document sums up the move succinctly, "a single person’s momentary lapse in judgment, use of an outdated password, or errant click on a suspicious link should not have national security consequences.”

The top three passwords in the USA for 2022 were: “guest”, “123456” and “password”. Source: Nord Security.

However, it’s not just manufacturers of software that are at fault, end users habitually use weak passwords and ignore requests to turn on multi-factor authentication. As of July 2022, Twitter’s Account Security Transparency report states that less than 3% of users have a form of multi-factor authentication turned on. Furthermore, Nord Security’s research determined that the top three passwords in the USA for 2022 were: “guest”, “123456” and “password”, demonstrating that old habits die hard. The administration’s new strategy is attempting to make terrifying statistics like these less of an issue.

USA is the most attacked

Approximately half of the world’s ransomware attacks target the USA, making it the most targeted country by far. The strategy calls for agencies to actively target illicit cryptocurrency exchanges that play their part in making ransomware a profitable business model. The National Security Agency, the Federal Bureau of Investigation and key international partners would likely be at the tip of the spear in this effort.

It will likely take many years for the strategy to come into full effect and for it to enact change across the technology sector. At a minimum, it would appear that technology manufacturers should expect more regulations coming their way to increase security baselines and that threat actors will see increased levels of US Government (and international partner) action against them. However, creating legislation to make software developers liable for security issues would need to be discussed in conjunction with the technology industry and also pass through Congress, something that could prove challenging at best in a capitalist market where the cybersecurity industry generates billions of dollars of revenue every year.

The Government stockpiles vulnerabilities

Additionally, legislative action against software manufacturers' quality will be difficult to reconcile with the U.S. Vulnerabilities Equities Process. This process allows the U.S. Government to decide whether to tell software manufacturers about vulnerabilities or to restrict the knowledge of the vulnerability to the Government, and potentially other partners, "so that it can be used for national security and law enforcement purposes, such as intelligence collection, military operations, and/or counterintelligence."

TEARLINE queried cvedetails.com—a global vulnerability database—and as seen in the chart below, the number of vulnerabilities found each year since 2016 has rapidly risen, hitting all-time highs year-on-year, with no signs of slowing down.