7/13/2023

The Future of Cybersecurity Management and Corporate Governance

Author: Cole Kennedy

White House Cybersecurity

In the rapidly evolving landscape of cybersecurity, new threats and advancements have necessitated a shift in strategies and protective measures. Among these changes is the transformative shift in legal liability coupled with the rise of self-attestation for software vendors. In response to these challenges, the U.S. administration introduced the National Cybersecurity Strategy Implementation Plan (NCSIP). This article aims to delve into these changes, illustrating the implications using real-life examples such as the SolarWinds case.

The Legal Liability Shift: A Significant Transformation in the Software Industry

Historically, software vendors were known to have broad immunity from liabilities related to security vulnerabilities in their products. This immunity was not an explicit legal structure but came to be the tacit norm within the industry. Technological advancements and an increasing reliance on digital systems have pushed vulnerability issues to the forefront, making this stance no longer sustainable.

The National Cybersecurity Strategy Implementation Plan (NCSIP) heralds a monumental change in this status quo. This federal framework provides a roadmap for software vendors to maintain rigorous standards similar to those seen in industries such as automotive and pharmaceuticals, where exposure to liability is commonplace. It outlines clear strategies aimed at building a sustainable and enduring software liability framework.

The impending shift in legal accountability acts as a driving force for software vendors. It pushes them to incorporate stronger, more effective security features in their applications and ensures that they adhere to robust security practices right from the product's design phase.

This sea change doesn't merely elevate security standards but also cultivates a culture of responsibility within the software industry. Vendors will now be incentivized or, better put, mandated to prioritize security equally alongside the key attributes of functionality and performance in their software products.

The NCSIP's move to introduce this liability paradigm represents a paradigm shift in software vendors' roles. They can no longer be passive suppliers in the value chain but are active agents accountable for the security robustness of their offerings. Recognizing and adapting to this shift is now a key survival trait for software vendors, especially in an increasingly interconnected digital environment with expanding attack surfaces.

Self-Attestation: An Evolving Accountability Threshold in the Software Industry

The National Cybersecurity Strategy Implementation Plan (NCSIP) introduced a significant requirement that software vendors are expected to meet: the submission of a self-attestation form. However, this form, which validates the vendor's compliance with the robust security measures adopted through their product's development, is still in draft form pending further input.

Self-attestation mandates are a definitive step toward strengthening accountability among software vendors, especially those whose products are used by governmental agencies.

The demand for self-attestation stems from the recent release of the Office of Management and Budget's (OMB) guidance memorandum, OMB M-23-16, on June 9, 2023. The memorandum extended the timeline for governmental agencies to begin collecting attestations from producers of both critical and non-critical software utilized within their operations.

Simultaneously, the Cybersecurity and Infrastructure Security Agency (CISA) released a draft self-attestation form, referred to as the 'common form.' This form, upon completion, would confirm the software producers' adherence to secure software practices in line with the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-218, Secure Software Development Framework. The finalization of this 'common form' is a work in progress, with the due date for comments pegged at June 26, 2023.

Regulation Timeline

Key elements of this evolving situation encompass:

  1. Adjusted Timeline: The agencies must gather attestations for critical software within three months of the common form's final approval. For all other in-scope software, this timeline extends to six months post-finalization.
  2. Attestation Collection from End Product Producer: OMB M-23-16 specifies that attestations should only be sought from the producers of the software end product, citing their unique position in guaranteeing its security.
  3. Exemption for Publicly Available Proprietary Software: Notably, the M-23-16 guidelines exempt agencies from collecting attestations for freely available but proprietary software, such as web browsers.
  4. Uncertainty Around Software Produced by Federal Contractors: While agency-developed software does not require attestation, uncertainty lingers regarding software developed under a federal contract. Software emerging from these contracts may be considered agency-developed, depending on the contracting agency's ability to ensure secure software development practices throughout the software development lifecycle.

Such directives underscore the paramount importance of stringent and secure software development practices. With these guidelines in place, vendors — particularly those developing software for governmental agencies — need to strategically navigate this shifting landscape of accountability and compliance.

A Case in Point: The SolarWinds Incident

SolarWinds, a U.S-based IT management software and service company, which fell victim to a massive data breach in December 2020, disclosed on June 23, 2021, in a filing to the Securities and Exchange Commission (SEC), that some of its former and current executives had received a Wells notice. Often perceived as a red flag, this notice suggests that the SEC is considering enforcement action against the company or, in this case, individuals due to possible violations of securities laws.

This particular incident, frequently referred to as the Sunburst attack, sent shockwaves through the global IT community as hackers exploited vulnerabilities within SolarWinds' network management software, Orion, allowing them access to data from thousands of the company's clients, including numerous companies and government agencies. The U.S. government has attributed this sophisticated cyber threat to Russian hackers.

The Wells notices were issued to several key personnel, including the Company's Chief Information Security Officer, indicating a potential move towards individual accountability for cybersecurity failures. This step seemed to be in alignment with a broader trend in the cybersecurity space, indicating increased legal scrutiny on executives and other high-ranking individuals for their roles in managing cyber risk and handling security breaches.

Controversially, some experts like Jamil Farshchi, EVP, and CISO at Equifax, emphasized on the possible misuse of the Well notices, which are typically reserved for CEO and CFO level execs for infractions like Ponzi schemes, accounting fraud, or market manipulation. A new violation category – the failure to disclose vital information, appears to be building momentum. This particular violation raises potential concern within the cyber scene, having implications reaching far beyond SolarWinds.

The SolarWinds case exposes the weight of legal accountability on the shoulders of organizations and executives in the wake of cybersecurity incidents.

Implications for the Boardroom

These shifts have profound implications for boardrooms, impacting both the governance and management of cybersecurity:

  1. Cybersecurity in the Spotlight: Boardrooms are encouraged to make cybersecurity a major focus, ensuring comprehensive evidence collection from software development processes.
  2. Risk Management Evolution: Adjusting risk management strategies to accommodate these legal changes, along with investments in cybersecurity insurance, may become a necessary strategic pivot.
  3. Vendor Oversight Reinforcement: Software creators face mounting scrutiny as legal accountability increases, thereby necessitating thorough vetting procedures.
  4. Corporate Governance Transformation: The focus on cybersecurity may lead to significant shifts in corporate governance practices.

The legal liability shift paired with self-attestation requirements heralds a seismic shift in cybersecurity management and corporate governance.

Conclusion

The shift in legal liability for software security flaws and the introduction of self-attestation forms signify a seismic shift within cybersecurity. Highlighted by the SolarWinds case, the potential legal implications of these changes are substantial. Boards must now prioritize cybersecurity, upgrade risk management strategies, scrutinize software vendors extensively, and adapt corporate governance practices.

Proactive response to these changes can shield organizations from cyber threats, reduce legal liability risks, and contribute to the wider mission of global cybersecurity enhancement. Our products Witness and Archivista are tailored to help organizations navigate these changes and prove compliance with the SSDF using the in-toto standard.

Explore our GitHub repositories or contact us to learn how we can help your organization adapt to this evolving cybersecurity environment.

Sources: