News Summary

• Understanding that baseline is critical.There is danger when rhetoric around shifting responsibility in cyberspace suggests that cybersecurity problems and challenges exist only because technology vendors cut corners or that all cybersecurity risk can be avoided by following a simple set of straightforward practices.
• Adopting certain new processes, rigorously enforcing them, and fixing existing incentives would still be a much-needed improvement over the current status quo.However, adopting memory-safe languages or pushing large actors toward better risk management would not necessarily have prevented many significant vulnerabilities in recent memory, such as Log4Shell.
• The Biden administration’s 2023 National Cybersecurity Strategy identified structural shortcomings in the state of cybersecurity, calling out the failure of market forces to adequately distribute responsibility for the security of data and digital systems.
• Specificity about the scope and goals of the program will help prevent its inevitable critics from distorting the debate into all-or-nothing terms.SbD — the first policy manifestation of the National Cybersecurity Strategy’s effort to shift responsibility — will not come about by sheer goodwill alone.
• silver bullets often trade rhetorical clarity for crippling internal compromises.” The SbD program could achieve deep, meaningful changes in how some of the largest technology vendors build services and products.
• This piece addresses both and highlights a path forward.The politics of SbD implementation — which implicitly require a capacity to compel change in vendor practices, as well as the insight to design them — are treacherous ground for CISA, as the fast-growing agency is not a regulator.