Federal Cybersecurity Policy Still Lags Rapid ChangeFederal Cybersecurity Policy Still Lags Rapid Change

Water, power, sewage, banking, education, you name it -- all these life essentials have something in common: they rely on information technology. Increasingly complex and insecure technology. Meanwhile, threat actors have the means to launch ever-rising numbers of attacks on critical applications. The revelation this past August of the huge data breach at National Public Data of Americans’ Social Security numbers, and other personal data, is a stunning Exhibit A.   

The number of reported vulnerabilities has skyrocketed over the last 10 years. In fact, the number of new software vulnerabilities cataloged in the federal National Vulnerability Database has increased an average of 29% per year over the last seven years. Every year sets a record high, and with the introduction of malicious code-writing and security hole-finding AI models, there’s no reason to think that trend will reverse. The federal government's contribution to cybersecurity has thus far been through guidance and influence or by wielding its purchasing power as a huge IT consumer. Those have some value but clearly aren't having much impact.   

The public is quite unaware of how low the bar is presently set in software security. Modern software is never written entirely from scratch. Instead, developers use an “assembly” approach that pulls together existing code packages, often using open-source software built and maintained by developers not beholden in any way to the company making the final product. 

Related:What Does Biden's New Executive Order Mean for Cybersecurity?

As security vulnerabilities and active malware become increasingly common, all companies find themselves shouldering increasing security risk. Such government organizations as the Cybersecurity and Infrastructure Security Agency (CISA) have spent a great deal of time, money, and effort over the last few years trying to convince software vendors to adopt basic security practices and Software Bills of Materials (SBOMs). A vendor's SBOM tells the customer what is in the software -- but not whether the contents are secure. CISA’s actions have not moved the needle at stopping breaches. US cybercrime costs reached an estimated $320 billion as of last year. Between 2017 and 2023, costs grew by over $300 billion. 

Companies say they're doing more about cybersecurity, but breaches continue, and the private market is not correcting poor behavior. Stock charts barely register a blip when companies report breaches now. Congress has not yet stepped in, hampered, perhaps, by an inadequate understanding of the issue.  

Related:3 Strategies For a Seamless EU NIS2 Implementation

Urgent action is, consequently, needed. 

Government stepped in to protect our food and medicine by establishing the Food and Drug Administration, intervened to make our automobiles safer by establishing the National Highway Traffic Safety Administration, and acted to ensure job safety by establishing the Occupational Safety and Health Administration. When new technology or industrial development has threatened public health and safety, the government has created new regulatory bodies to protect that health and safety. And according to public polling, while Americans may be largely dissatisfied with the federal government in broad terms, they still desire it to help keep the populace safe, including providing protection from unsafe products. 

The upshot is that Congress should establish a new regulatory body to evolve the “guidance” currently provided by CISA and presidential executive orders, coupled with oversight powers based on an expanded definition of critical software and hardware. What specifically defines “critical” here will of course need to be determined, but the current definition in use by CISA simply does not provide a sufficient scope to ensure America’s cybersecurity.    

The current patchwork of industry self-regulation -- with each federal department doing their best to oversee their respective industry areas -- leaves too many gaps and will not even scale to the challenges we already face. The new regulatory body’s charter should establish enforceable minimum standard security practices for private companies that are deemed critical to the nation. Those standards should go beyond CISA’s currently used definition of critical infrastructure, which does not include companies essential to our everyday lives, such as Microsoft, Google, payment providers, and cybersecurity firms like CrowdStrike.    

Related:Microsoft Rings in 2025 With Record Security Update

This new regulator will also need the power to audit companies against those standards, selectively publish findings publicly, share findings with other regulators such as the SEC, establish fines, and in egregious cases, be able to pull products from the market. These powers follow the established scope of current agencies, such as the FDA and NHTSA. Without these powers of regulation over essential software, any new agency will be reduced to providing “guidance” and our nation will continue to be at risk. 

As CISA is already under the Department of Homeland Security, the above could be accomplished either through expanding their jurisdiction and giving them the above powers and responsibilities, or through the establishment of a new agency. The need for robust cybersecurity regulation and oversight has become essential if we are to protect American citizens, companies, and governments from cyberattacks. Our unpredictable technological and geopolitical environments will demand no less.