It is well past time for cybersecurity policy to focus more on anticipation and root technology designs than on incident response and aftermarket security. The growing consequences of cybersecurity incidents, the speed at which attackers move among targets, and the barely tolerable insecurity of widely used technology systems are all increasing risk faster than defenders can keep pace. The Buying Down Risk series addresses necessary change in the framing of cybersecurity policy in preparation for the next US national cybersecurity strategy. The chief goal of this series is to make effective security easier and cheaper and unrecoverable or unforeseeable system failure less likely.
The US strategy should arrive at an important moment: a political inflection point midway through the current administration—still in the smoldering aftermath of SolarWinds/Sunburst and log4j—and amidst the horrific context of the Russian invasion of Ukraine. It also arrives at a critical technological threshold, as cloud services become the default for many organizations, and information technology (IT) and operational technology (OT) accelerate their convergence. This strategy and surrounding policies hold the promise of extracting far more momentum from shifting public awareness and policymaker attitudes about cybersecurity than previous iterations.
Rather than suggesting one silver bullet or an infeasibly grand strategy, this series focuses on areas with potential for outsized improvement and strong returns on investment. It first identifies three critical domains of cybersecurity activity —technical vulnerabilities, product and service architectures, and security governance—and offers specific recommendations for the private and public sectors under a common framework for action. The proposals made in this series contribute to an overdue policy shift toward anticipation of exploit, better security at the root of systems, and more defensible designs than those in use today. The recommendations made here are necessarily incomplete, as is this series, but they serve to advance policy efforts to improve the technical architecture of the most consequential information technology systems in present use.
The cyber ecosystem weaves together private- and public-sector organizations among a sprawling web of technology, politics, and people. Security that focuses on individual products and features can easily miss the risk engendered by products linked together in this ecosystem. Therefore, this series focuses on systems: the connections and dependencies of complex systems that are difficult to understand and defend as a source of insecurity all their own, and one necessary for providing consumers with the array of modern services they have grown accustomed to. Accordingly, the Buying Down Risk series makes recommendations to industry as much as to government to leverage the former’s vast resources and privileged access rather than depending solely on regulation from the latter.
The goal of policy addressing the cyber ecosystem writ large, and therefore mostly the private sector, is to incentivize rather than dictate, to nudge rather than command, and to seek efficient impact rather than monumental resource commitments. Creating security in the cyber ecosystem demands policy that can engage with complex, adaptive systems—demanding nuanced inputs more analogous to engine oil than torque.
Policymakers thus find themselves in an uncomfortable situation—navigating mega-cap shareholders and product lifecycles as often as constituents and legislative language while trying to secure an ecosystem in constant flux. Private-sector and nongovernmental entities shape the cyber domain, from the configuration of servers under attack to the failover states of incomprehensibly vast internet services, from the compensations of volunteer open source developers to remediating attacks, both ingenious and brutish.
These circumstances challenge traditional policy levers, but they also provide policy opportunities. Industry can commit itself to architectures, standards, and practices that improve security throughout the ecosystem. Such an approach requires better incentives and structures for reliable self-regulation while applying direct regulatory power to unearth and secure nodes of concentrated risk throughout the cyber ecosystem. As the victims of increasing, massive ransomware attacks, prolific theft of intellectual property, debilitating service disruption, and incursions on critical infrastructure systems, and as the vendors of programs with access to vital government operations, industry reliance on and interest in the security of the cyber ecosystem is clear.
The Buying Down Risk series argues for prioritization of secure design in IT systems. The series does not denigrate the importance of OT, the need for better operational practices, or the necessity of good incident response. Nonetheless, focusing on architecture rather than operations or a US response positions policymakers to take action earlier in the chain of events that would otherwise lead to insecurity. Starting at the root of common technologies gives policymakers the widest possible impact and helps nudge complex, dynamic systems towards security at scale. The outcomes should improve the lot of cyber defenders and users, producing systems that are innately easier to defend, more costly to compromise, and better able to improve over time.
The following principles reflect a set of acknowledgements about the nature of cybersecurity and digital systems that can help inform policymakers and their actions:
- Aim for architecture: Focus greater public effort below the swells of market changes by discussing core technologies as well as design and security processes, not just features or products.
- Trust but verify: Public-private means partnership, not deference—build policy processes to confirm, not assume, the presence of good security governance and sound architectures.
- Iterate and adapt: Technology systems adapt to user behavior and vice versa. Policies should accommodate this adaptability and foster small, iterative changes that can approach a complex system.
- Avoid silver bullets: no strategy can address all sources of risk at once, but technological silver bullets often trade rhetorical clarity for crippling internal compromises.
- Embrace a systems approach: prioritize inputs and incentives with strong process over specific outputs. Build in learning and recognize that progress is not linear.
Buying Down Risk argues that improving the cybersecurity of most digital systems requires a deliberate choice to deprioritize (but not ignore) the firefighting tactics of incident response and to implement scalable practices that harden the most insecure and critical system components. Buying down risk means smartly using scarce dollars and policymaking capacity: employing many small, pilotable investments coupled with robust policy support for good security behavior across a complex web of vendors, consumers, volunteers, and governments. The recommendations made in this series focus on a few key players within industry and government—those best situated to make systemic adjustments at reasonable cost.
Key to this approach are the relationships between industry and the US government as well as the organization of the public sector itself. Although the maturation of the Cybersecurity and Infrastructure Security Agency (CISA), the establishment of the Office of the National Cyber Director (NCD), and other changes represent progress, much work remains. Clear points of contact and nodes of industry representation within government for the many private-sector stakeholders will go a long way toward improving communication and coordination and moving from rolodexes to formal relationships.
The private sector should not entail just the largest IT enterprises, either. Open source developers, maintainers, nonprofits, civil society groups, and small-to-medium enterprises (SMEs)—as well as state, local, tribal, and territorial governments (SLTTs)—play roles that are just as important in the security of the cyber ecosystem, albeit in a more distributed fashion. The public sector also has work to do in deconflicting its own roles and responsibilities, for the sake of both efficiency and the clear understanding of industry. The NCD, National Security Council, Departments of State and Commerce, CISA, and the suite of adversary-focused entities (Departments of Defense and Justice, the Federal Bureau of Investigation, and the intelligence community) all compete at different moments for jurisdiction; whatever the final lanes established, consistent collaboration among all these players and with appropriate private-sector entities is necessary for the development of effective policy.
This series does not try to address every facet of cybersecurity, and several key leverage points are conspicuously absent: workforce investment, adversary responses, cyber diplomacy, and incident reporting, for starters. The goal of the series, though, is not to address every cyber topic immediately, but to start engaging with some key ones in the right way. The US government and its industry partners should aim to use this series’ focus areas as starting points for prioritizing policy, ongoing dialogue, and reframing organizational efforts to secure the cyber ecosystem. As they progress, their efforts should broaden to include allies and partners and a larger menu of policy areas, with iteration informed by lessons learned along the way.
Strategy in brief
To extend these principles into action, this series offers policy recommendations under three broad categories: addressing technical vulnerabilities, improving product and service architectures, and encouraging more effective security governance.
Technical vulnerabilities: Articles on memory safety and container security address the security implications of technical features in the cyber ecosystem to reduce systemic sources of risk created by vulnerabilities in core technology systems.
Product and service architecture: This category discusses open source software, complexity management, and the origin of software components. It analyzes the creation and organization of software in the ecosystem to restructure incentives, resource allocation, and baseline security practices.
These recommendations aim to improve the cybersecurity ecosystem through changing technical designs, development practices, financial commitments, and incentive structures. This scope purposefully includes technology, processes, and people. The first seven Buying Down Risk articles are a starting point for creating a more secure, resilient cyber ecosystem amidst a changing threat environment—not a final set of recommendations.
These are a set of proposals to strengthen public policy in encouraging more secure technology architecture in widely used IT systems to broadly improve cybersecurity. These are not the only proposals relevant to this question, nor is secure IT architecture the only important challenge in cybersecurity. Rather, these proposals are a prioritization of where scarce policy attention and resources can have the greatest impact under a coherent framework. Future work can and should expand on these proposals, addressing data and economic security, asset inventory systems, approaches to increasing the size, skill, and efficient allocation of talent in the cyber workforce, improvements in the cost, visibility, and defensibility of cross-sector, critical infrastructure technologies; building a more effective national feedback loop from cyber behaviors and incidents, including a bureau of cyber statistics; and strengthening insurance and risk-transfer mechanisms to better incentivize good security outcomes.
The Buying Down Risk series aims to spark useful conversations rather than serve as a final assessment of cybersecurity writ large. A pressing demand for better public policy for cybersecurity and a remarkable confluence of technological opportunity and political will are at work in the United States and among many of its allies and partners. Given that, and the persistent insecurity of widely used systems, a change of pace and approach from policymakers should create significant benefits with a correspondingly important legacy.
The authors wish to thank several reviewers who shared feedback on this project, including Melissa Griffith, Wendy Nather, Dakota Nelson, Katie Nickels, Justin Sherman, Neil Ziring, and others who wish to remain anonymous. Their insights were uniformly helpful and reflected in this text, with any errors or omissions our own.
Some coding languages, like C and C++, allow for a common, exceptionally dangerous bug called a memory safety error, comprising up to 70 percent of industry vulnerabilities.
Industry’s move towards container architectures provides great promise for dynamic systems and service provision, but it also brings up new concerns and opportunities for the cybersecurity ecosystem.
Open source software
Product and service architecture
Open-source software underpins most modern code, and the unique incentives and constraints its developers face pose a tricky set of challenges for the cybersecurity ecosystem.
Software provenance and composition
Product and service architecture
SBoM adoption is picking up pace, aiming to provide better insight into and contractual leverage for software components–increased investment, standardization, and coordination can help fully develop SBoM use.
Product and service architecture
The ever-increasing complexity of software programs and services can become a security and operational challenge in and of itself, increasing ecosystem-wide risk.
Despite software’s ubiquity and omnipresent vulnerability, conventions around liability for software producers are still informal and rarely enforced.
Cyber poverty line
Many enterprises face systemic challenges to their cybersecurity posture, from resource shortages to suboptimal risk attitudes, all of which weaken an ecosystem only as secure as its weakest links.
The Atlantic Council’s Cyber Statecraft Initiative, under the Digital Forensic Research Lab (DFRLab), works at the nexus of geopolitics and cybersecurity to craft strategies to help shape the conduct of statecraft and to better inform and secure users of technology.