En marzo, el gobierno de EE.UU. public\u00f3 una nueva Estrategia de Ciberseguridad redactada por la Oficina del Director Nacional de Ciberseguridad. Dividida en cinco pilares y 27 objetivos estrat\u00e9gicos, la estrategia presenta una visi\u00f3n audaz para defender la infraestructura cr\u00edtica, desmantelar los actores de amenazas, dar forma a las fuerzas del mercado para impulsar la seguridad, invertir en un futuro resiliente y forjar asociaciones internacionales. Si se implementa por completo, esta estrategia presentar\u00e1 a las empresas en el espacio de contrataci\u00f3n el desaf\u00edo de un mayor escrutinio y est\u00e1ndares de seguridad m\u00e1s altos, pero tambi\u00e9n la oportunidad de competir por pedidos y subvenciones destinados a reforzar la infraestructura digital cr\u00edtica de la naci\u00f3n.<\/p>\n
In March, the U.S. government released a new\u00a0Cybersecurity Strategy<\/a>\u00a0authored by the Office of the National Cyber Director.<\/p>\n Split into five Pillars and 27 Strategic Objectives, the strategy lays out a bold vision for defending critical infrastructure, dismantling threat actors, shaping market forces to drive security, investing in a resilient future and forging international partnerships. If fully implemented, this strategy will present businesses in the contracting space with the challenge of increased scrutiny and higher security standards, but also the opportunity to compete for orders and grants aimed at bolstering the nation\u2019s critical digital infrastructure.<\/p>\n The strategy includes several areas of interest for the government contracting community, with the potential for increased funding for various projects as well as the possibility of additional regulation and enforcement.<\/p>\n One section, for example, discusses using federal grant programs to incentivize the creation of critical digital infrastructure. Another expands on the ways that the government could \u201cleverage federal procurement to improve accountability,\u201d but also calls for increased enforcement of security requirements for vendors that sell to the Federal Government. Finally, one provision outlines plans to \u201creinvigorate federal research and development for cybersecurity\u201d through a variety of federally funded research and development centers.<\/p>\n \u2018Zero Day\u2019 vulnerabilities<\/strong><\/p>\n The most controversial section calls for\u00a0holding software companies liable<\/a>\u00a0for producing insecure code. While the exploitation of \u201cZero Day\u201d vulnerabilities has reached an all-time high in recent years, resulting in sweeping impacts across industry and government, the idea of holding the companies liable for the production of insecure code is a major departure from previous norms. Some have questioned whether the strategy\u00a0contains enough details to be adequately implemented<\/a>, while others noted that this objective could\u00a0reshape how the entire government procures software<\/a>.<\/p>\n In an effort to emphasize this shift in thinking, the Cybersecurity & Infrastructure Security Agency along with several international partners published\u00a0Secure-by-Design and -Default Principles<\/a>\u00a0in April. This guidance was intended to drive a cultural change in how the technology community views vulnerable software and shift the burden of security onto technology manufacturers.<\/p>\n As part of the rollout for this new way of thinking, the Director of CISA, Jen Easterly, noted in a\u00a0speech at Carnegie Mellon University<\/a>\u00a0that the concept of Secure-by-Design and -Default was intended to shift the burden away from consumers and small businesses and onto the major technology companies. This means that if fully implemented, major tech companies like Microsoft and Google would bear a greater degree of responsibility than the average government contractor, particularly companies classified as small businesses.<\/p>\n Shifting the burden of responsibility is controversial because up to this point major software development companies have assumed that if they continue to identify and patch vulnerabilities, they will be immune to most negative consequences. In fact, Microsoft has institutionalized the idea of routinely releasing updates and fixes to their software to the point that\u00a0\u201cPatch Tuesday\u201d has been an industry staple since 2003<\/a>.<\/p>\n However, as threat actors continue to exploit more zero-day vulnerabilities than ever before, the need for secure software has never been greater.\u00a02021 saw the largest number of zero-days exploited in history<\/a>, with state-sponsored actors leading the way. So far in 2023,\u00a0criminal ransomware groups have leveraged critical vulnerabilities<\/a>\u00a0leading to\u00a0hundreds of millions of dollars in ransom payments<\/a>.<\/p>\n In July 2023, the ONCD published a\u00a0National Cybersecurity Strategy Implementation Plan<\/a>\u00a0providing timelines, responsible agencies, and specific guidance for many of the objectives laid out in the strategy. The plan, for example, put the Office of Management and Budget in charge of implementing Federal Acquisition Regulation changes required under\u00a0Executive Order 14028<\/a>\u00a0by the first quarter of FY24, and called for the Office of Science and Technology Policy to work with a variety of grant-making agencies to prioritize investments in \u201cmemory safe programming languages.\u201d<\/p>\n \u2018Secure by Design\u2019<\/strong><\/p>\n Neither of these provisions came with fresh funding for implementation. Strikingly, the \u201cSecure-by-Design\u201d provision had one of the weakest implementation plans in the entire document, calling for ONCD to host a legal symposium by the second quarter of FY24 to \u201cexplore different approaches to a software liability framework.\u201d<\/p>\n Ultimately, how federal dollars are allocated over the next few Fiscal Years will determine the true impact of the new strategy and implementation plan. While it appears that offices like ONCD and CISA are pushing for dramatic shifts in the cybersecurity landscape, their lack of regulatory and budget authority may hamper the implementation of those plans.<\/p>\n If fully implemented, the strategy would have a net positive effect on the government contracting space by increasing federal investment in secure technology development and reducing vulnerabilities in major software that all government contractors use. It is too soon to tell whether this bold vision for the future can truly become a reality.<\/p>\n