I mentioned the update expected for the national cyber strategy earlier in the week – it was released today. It’s a 40-page document providing a roadmap for new laws and regulations to fight cyber threats. It’s intended as a 10-year plan, not an instant change.
The strategy declares ransomware a “threat to national security, public safety, and economic prosperity,” intended to allow more intelligence community resources against the threat.
The plan is built around five basic pillars:
- Minimum cybersecurity requirements for critical infrastructure
- Offensive cyber actions against hackers and nation-states
- Shifting liability onto software manufacturers
- Diversifying and expanding the cyber workforce
- Continuing to build international partnerships.
Of note for MSPs – mentioned by name in the document. Quote “The Federal Government will also deepen operational and strategic collaboration with software, hardware, and managed services providers with the capability to reshape the cyber landscape in favor of greater security and resilience.” This is part of the second pillar.
Let’s also highlight the intention to shift liability for software vulnerabilities onto manufacturers. This had been previewed earlier in the week in a speech by CISA Director Jen Easterly. The question is how officials would determine who was responsible for product vulnerabilities with thousands of components. White House officials made clear that they did not want to punish underfunded open-source developers — instead shifting the responsibility onto final-goods assemblers who profit from the software.
Why do we care?
You should read it. It’s distinctly relevant to the industry, and this is how legislation starts, with proposals by experts. If you call yourself a managed services provider, the framework outlined here includes you in the responsibility for addressing the cyber threats.
Which leads to defining where the responsibility is. I’m in favor of responsibility is at least shared by those who manufacture products. In the physical world, if a product is created that is unsafe, the manufacturer has responsibility for its repair. This easily shifts to the virtual world as well, and thus it makes sense. The customer can’t be wholly responsible, nor is the service provider squeezed in the middle between customers and software vendors.