Tidelift CEO & co-founder Donald Fischer recently sat down with Enterprise Security Weekly to discuss the U.S. National Cybersecurity Strategy, a new part of a coordinated effort by the U.S. government to improve cybersecurity for the government, industry, and citizens, and what organizations building with open source software should know. You can watch the video in full by following this link—or read on for some highlights:
Host Adrian Sanabria: Let’s start at the scope. We’ve seen things in the past that were pretty impressive in how forward-looking they were and what they covered, but they were specifically for organizations selling to U.S. government agencies—the scope was a bit smaller, and we expected the impact of that to be smaller, like with M-22-18. With this strategy, is the scope everybody? Is it private and public? Is it still going to specifically be addressing organizations selling to the U.S. government?
Donald: I think that’s one of the interesting and important elements of the U.S. National Cybersecurity Strategy, that it expands the conversation. That M-22-18 memorandum that you are referring to came out in September of 2022—that was put forth by the Office of Management and Budget—and it was helpful because it made things more concrete, it got into more details building on some of the activities that started with the May 2021 presidential executive order on cybersecurity. M-22-18 said, organizations supplying to government agencies are going to need to meet new requirements, and among other things, provide a software bill of materials (SBOMs). Namely, it required that these organizations self-attest that they are following secure software development practices. And the definition of those secure development practices is a big PDF document that was compiled by the National Institute of Standards and Technology (NIST) called the NIST Secure Software Development Framework, a comprehensive, and pretty reasonable, broad set of considerations to take into account when building any software.
This was all before the National Cybersecurity Strategy was released. What this strategy has done is expand the scope of the folks who need to be paying attention to things like the NIST Secure Software Development Framework, to not just organizations supplying the government, but to any organization providing services using software in the U.S. The key mechanism for that is the shift in how cybersecurity liability is going to work and the Cybersecurity Strategy document goes into detail about how they envision this happening.
Historically, we’re familiar with the liability regime in software being that all risk is borne by the user—all those big caps paragraphs when you click through a license agreement. And that’s been convenient for software makers, but that’s now how it works in other key industries. You look at the automotive industry, and say the steering wheel comes off the car while you’re driving down the highway, that’s a big problem for the car manufacturer—it’s not buyer beware. And in pharmaceuticals, if there's contamination in a manufacturing line, that’s going to be an issue for the manufacturer where they’ll need to bear the liability for that. But one of the key takeaways from the National Cybersecurity Strategy is that they want to shift liability to organizations that are producing software.
"...one of the key takeaways from the National Cybersecurity Strategy is that they want to shift liability to organizations that are producing software."
- Donald Fischer
Adrian: To see the amount of progress we’ve made in ten years, even less than ten years, it feels like it’s moved a lot quicker than other industries that waited decades [to make changes]. When we talk about the automotive industry, a lot of the safety regulations—even with tens of thousands of people dying every year—still took decades, such as seat belts and crash testing.
Donald: One of the things that’s constructive about the way that this is being put forth in the pretty all-encompassing and broad strategy is that, it’s not just a naked assignment of liability, but there’s specific guidance being given about how to mitigate that liability An interesting nuance of the National Cybersecurity Strategy is that it talks about not just this new liability framework and assignment of liability, but it also talks about the concept of a ‘safe harbor’—if organizations can demonstrate that they are following the recommended practices, they will receive some relief from the liability actions that may come if bad incidents happen. I love that there’s this explicit path that says you’re liable, do something about it, and there’s specific guidance around what you should be doing.
Adrian: Anything else significant from the White House Cybersecurity Strategy that we haven’t touched on that you think is relevant?
Donald: There’s one more part that strikes close to home for my personal interests and the areas of interest we’re focused on at Tidelift, which are the open source software developers. I think one of the undersold aspects of the Cybersecurity Strategy is that there’s an express declaration in there that the U.S. government wants to get more proactively and directly involved in open source communities. It’s showing through that there are knowledgeable folks on the scene who are contributing to these policies and strategies, showing up with not just good, but modern ideas, thinking ahead in a helpful way.
To hear the podcast episode in full, you can continue watching on Security Weekly’s YouTube channel. For a summary of the National Cybersecurity Strategy and other government cybersecurity efforts, stop by our government open source cybersecurity resource center. You can also learn more about Tidelift and how we pay maintainers to validate and keep to industry and government standards.