The former policy lead for the Department of Defense (DoD) under President Barack Obama said Tuesday that while the Biden administration’s National Cybersecurity Strategy (NCS) calls for secure-by-design technology principles, the White House doesn’t actually have the authority to regulate that.
That kind of regulatory authority is going to need congressional action, former Under Secretary of Defense for Policy from 2009-2012 Michèle Flournoy said during the Axonius Adapt conference in Washington on April 16.
“We don’t have real hardware assurance. When you look at all of the hands through which our chips pass – if they’re not manufactured in the United States, so that’s the majority of the chips – there’s ample opportunity for mischief,” said Flournoy, who is a founder of WestExec Advisors. “The lack of a serious hardware assurance and multi-layered defense on the hardware side is a problem.”
Since he came into office, President Biden has been moving to get more chips made in America. In August 2022 he signed the CHIPS and Science Act into law, making up to $52 billion of funding available to incentivize semiconductor makers to establish new manufacturing operations in the United States.
And just over one year ago, the Biden administration released its NCS. One major aim of the document is to shape market forces, both globally and domestically, to help improve supply chain security and reinforce secure-by-design principles.
Flournoy noted that the U.S. needs better systems to be able to see transparently into the supply chain. “But that costs money and because it’s not a requirement, companies don’t want to invest. I think DoD could be very impactful by having a requirement that you’ve got to actually know the sources of key components,” she said.
The former Pentagon official also said the U.S. should work harder to source elements of the supply chain from our own country or trusted allies. However, she recognized this isn’t always possible, and when it’s not, “we really need to double down on the testing of the software to make sure we know how it behaves and whether there’s anything hidden in there.”
Flournoy said one of the most important concepts of Biden’s NCS is the shift of responsibility and accountability to the software developers, the hardware manufacturers, and the platform and service providers.
“So, it’s not on the end user, the little guy, to be responsible. It is on the folks who are really providing the core infrastructure of the system,” she said. “That’s a really important and I think positive conceptual shift, and that’s the only way we’re going to get secure-by-design at scale across the system.”
“The problem is it’s not something that the executive branch can just regulate,” she continued, adding, “you actually need legislation.”
“I don’t think that the executive branch has the authorities to actually realign these incentives in a way that will be truly effective. And unfortunately … we’re in a pretty partisan, polarized, political environment right now where the idea of regulatory legislation in this domain seems pretty impossible at the moment,” she said.
Joanna Dempsey, vice president of the Cybersecurity and Infrastructure Security Agency (CISA) portfolio at ECS, noted that CISA’s secure-by-design guidance could be the blueprint for congressional legislation.
“Ultimately, it’ll have to flow through to regulation and requirements in order to get back that layered whole-of-nation approach,” she said.
Flournoy said the main thing in the cyber domain that keeps her up at night is “the degree to which we have real vulnerabilities, and, frankly, we know, deep penetration of our critical infrastructure networks.”
She said that moving to the cloud could be a major solution for those woes.
“If you’re on an antiquated, on-premise system and you’re moving to a modern, more secure cloud, that can be a huge step in the right direction,” Flournoy said. “That’s still very much a work in progress in the Federal government.”
“I was surprised that the [NCS] didn’t emphasize the importance of that, not only for the Federal government but for particularly critical infrastructure providers. That can be a huge part of the solution for some of these folks,” she said.
Flournoy’s biggest piece of advice for Feds is to invest in human capital to achieve better cybersecurity.
“We’re still working to develop the cadre of cyber policy experts, technical cyber experts, cyber program managers,” she continued, adding, “We’re still short of what we need as a Federal government to be a good operator, buyer, manager, sustainer of these systems.”
“The human capital piece is important,” she said. “And that’s not just recruiting the people, it’s figuring out how do you incentivize them to adopt the behaviors you’re aiming for? On what basis are you promoting them? What’s their career path? Can they actually succeed and be rewarded as a cutting-edge cyber professional?”