One year ago today, BSA | The Software Alliance released a new policy agenda for cybersecurity. A few months before this release, organizations around the world were shook by NotPetya, a malware attack that crippled government, critical infrastructure, and business entities. The incident resulted in more than $10 billion in total losses to the global economy, according to a White House assessment. While no cyberattack has been more damaging, businesses continue to face daunting, evolving cybersecurity risks every day. As we mark the 15th annual National Cybersecurity Awareness Month this October, BSA is working diligently to implement its cybersecurity agenda and build a stronger Internet ecosystem for the billions of global citizens, businesses, and governments that depend on it.
The continuing evolution of cyber threats underscores the necessity of cybersecurity in the global digital economy. Cybersecurity threats like NotPetya are increasing in number and sophistication. For example, according to the National Institute of Standards and Technology’s (NIST) National Vulnerability Database, the number of newly discovered software vulnerabilities rose from 6,447 in 2016 to 14,650 in 2017. Already through the first three quarters of 2018, NIST has recorded 12,979 new vulnerabilities, on pace to surpass the highwater mark set last year. Cybersecurity threats also become more diverse as their volume grows with each passing year, evidenced by the number of new mobile malware variants, which increased 54 percent in 2017.
Additionally, the tech industry continues to develop emerging technologies, such as Internet of Things (IoT) devices and artificial intelligence (AI) applications, further connecting industry and government and transforming business operations. While these innovations have the potential to change both how companies operate and how people live, new technologies continue to be ripe targets for exploitation. For instance, overall IoT attacks increased 600 percent in 2017.
As 2018’s National Cybersecurity Awareness Month begins, BSA continues to help policymakers improve the global cybersecurity landscape by identifying and prioritizing best practices and successful policies. As our cybersecurity agenda articulates, cybersecurity is a global challenge, and it must be met with concerted, collaborative action across sectoral and national boundaries.
Specifically, BSA urges government-industry collaboration to: promote a secure software ecosystem through the adoption of security-by-design principles; strengthen government approaches to cybersecurity; pursue international consensus for cybersecurity action; develop a 21st century cybersecurity workforce; and advance cybersecurity through digital transformation. On the one-year anniversary of BSA’s cybersecurity policy agenda, it would be fruitful to take stock of how these issues, and BSA’s work, have evolved.
Promoting a Secure Software Ecosystem
Cybersecurity begins with software security, and BSA’s members are leaders in developing secure software. Globally, governments are considering policies to encourage software security and cybersecurity in the IoT. In September 2018, the European Commission, European Parliament, and European Council began “trilogue” negotiations to reach an agreement on an update to its 2013 Cybersecurity Strategy. The suggested revision aims to provide a permanent mandate for the European Agency for Network and Information Security Union and establish a European Union framework for the cybersecurity certification of information and communications technology (ICT) products. Additionally, Japan and the United States are working to develop new approaches to IoT security through proposed security baselines, procurement guidelines, and similar tools. BSA has strongly advocated to secure the software ecosystem through expanding adoption of security-by-design principles in software development, developing a widely recognized benchmark for software security, and advancing IoT security through adaptable, risk-based approaches built on established industry best practices.
Creating a Stronger Government Approach to Cybersecurity
To strengthen cybersecurity across the Internet ecosystem, governments should begin by ensuring they embrace cybersecurity themselves. That means adopting secure technologies, leveraging purchasing power to drive industry-wide progress in security, and securing government networks. In the United States, BSA strongly advocated for passage of the Modernizing Government Technology Act, which Congress finalized in December 2017, and continues to advocate for its aggressive implementation. Additionally, in 2018, BSA worked with Congress to secure passage of legislation limiting the use of Lowest Price Technically Acceptable (LPTA) in contracting for cybersecurity and IT systems. This legislation will empower the government to build cybersecurity into technology acquisitions, improving the security and quality of ICT throughout government networks.
Pursuing International Consensus for Cybersecurity Action
Because malicious cyber actors are not constrained by international borders, governments too must operate collaboratively on the international stage. BSA advocates for the harmonization of global cybersecurity laws, advancement of cybersecurity norms, and development and adoption of international standards to provide a foundation for the interoperability and collaboration needed to confront global cyber threats. In March 2018, BSA released a first-of-its-kind International Cybersecurity Policy Framework, outlining a recommended model for a comprehensive national cybersecurity policy as a tool to drive policy harmonization. BSA launched this Framework at a public panel examining the increasing risk of global cyber policy fragmentation.
Developing a 21st Century Cybersecurity Workforce
A strong, secure Internet ecosystem relies upon a robust cybersecurity workforce capable of meeting constantly evolving challenges. BSA continues to call for investments in creating a qualified, diverse 21st century workforce to address growing needs in the cybersecurity arena. BSA has outlined a vision for enhancing the cyber workforce through mid-career retraining, expanded access to computer science education, and alternative pathways to cybersecurity careers.
Recently, BSA successfully advocated for legislation to improve and expand the Department of Defense Cyber Scholarship Program and the Federal Cyber Scholarship-for-Service program. BSA has also successfully supported legislation aimed at helping military personnel and their spouses transition into new employment opportunities in the cyber field through professional credentials and apprenticeship studies.
Advancing Cybersecurity through Digital Transformation
Emerging technologies such as AI and blockchain will bring new opportunities for advancing cybersecurity, as well as new challenges. BSA is working to shape policies that embrace the opportunities these technologies can create. Greater collaboration on security challenges in the emerging technologies marketplace has been advanced through various multi-stakeholder processes enabling industry-led solutions. BSA has urged policymakers around the world to approach emerging policy questions associated with evolving technologies by convening representatives from government, industry, and civil society to develop flexible and adaptable cybersecurity policies that are internationally harmonized and interoperable. To promote these best practices, in October 2017 BSA testified before the IT Subcommittee of the House Committee on Oversight and Government Reform regarding the importance of effectively securing the IoT.
As we mark National Cybersecurity Awareness Month, BSA will continue to promote public-private collaborations to improve businesses’ cyber resiliency and encourage US policy to drive greater security. Our members remain dedicated to working with government, civil society, and businesses to advocate cybersecurity best practices and effective policy. As cyber threats continue to expand in frequency and strength, managing risk will require significant coordination and commitment across industries, communities, and nations every month of the year.
Learn more about BSA’s cybersecurity initiatives at bsa.org/cybersecurity