Biden’s Cybersecurity Strategy: Will MSPs Have to Take Responsibility?
Managed service providers (MSPs) have reason to keep a very close eye on the implications of the Biden Administration’s new National Cybersecurity Strategy. Released on March 1, the 39-page document spells out priorities and policy proposals designed to secure the digital ecosystem and combat the ever-growing threat from malicious actors.
From an MSP perspective, this paragraph is of particular significance:
To “reimagine cyberspace” and “make our digital ecosystem more trustworthy,” the Administration writes, “We must rebalance the responsibility to defend cyberspace by shifting the burden for cybersecurity away from individuals, small businesses, and local governments, and onto the organizations that are most capable and best-positioned to reduce risks for all of us.”
This fundamental shift of responsibility is not the only potential development that could have a profound impact on MSPs and the way they serve their small to medium-sized business (SMBs) customers. The new cybersecurity strategy aims to improve collaboration around five pillars:
- Defend Critical Infrastructure
- Disrupt and Dismantle Threat Actors
- Shape Market Forces to Drive Security and Resilience
- Invest in a Resilient Future
- Forge International Partnerships to Pursue Shared Goals
Each pillar is broken down into strategic objectives — and a few stand out as quite consequential for MSPs. Let’s review them in more detail:
Strategic Objective 3.1: Hold the stewards of our data accountable
The document points out the dramatic proliferation of personal information as a result of data-driven technologies expands the threat environment and increases the impact of data breaches on consumers. Therefore, the Administration wants to see legislative efforts to impose limits on the ability to collect, maintain, and transfer personal data as well as provide strong protections for sensitive information. The legislation is also intended to include national requirements to secure personal data consistent with the NIST standards and guidelines.
As legislative efforts get underway, MSPs can play a leading role to ensure that they and their clients are compliant with these new regulations. With the focus on securing personal data consistent with NIST standards and guidelines, MSPs can benefit from leveraging vulnerability management solutions that align with both regulations and best practices.
Strategic Objective 3.3: Shift liability for insecure software products and services
According to the Administration, too many vendors ignore best practices for security and sell flawed products with known vulnerabilities, leaving the public to bear the brunt of the fallout. While the plan says software developers must have the “freedom to innovate,” it states they must be “held liable when they fail to live up the duty of care they owe consumers, businesses, or critical infrastructure providers.”
To drive secure software development, the Administration aims to establish a safe harbor framework (which would shield compliant participants from liability) that draws upon best practices established by NIST and others. The framework would constantly evolve, incorporating new tools for vulnerability discovery, software transparency, and more.
The issue of vendor accountability and holding system owners and operators liable can have far-reaching implications for MSPs. Although the details remain unclear, ChannelE2E, a news resource for MSPs, speculated whether it puts them at risk of lawsuits in the event of a breach or data loss. Either way, the shift will drive the market towards more secure MSP services, benefiting SMBs and other organizations that rely on them. MSPs that invest in strengthening their cybersecurity posture can set themselves apart in an increasingly regulated space.
Strategic Objective 3.6: Explore a federal cyber insurance backstop
In the event of a massive cybersecurity incident, the government is responsible for stabilizing the economy and aiding recovery. The Administration will assess the need for a Federal insurance response to catastrophic cyber events to support the existing cyber insurance market. Input will be sought from Congress, state regulators, and industry stakeholders.
The growing cybersecurity threat has already prompted SMBs to start seeking coverage. At the same time, the share of insurance companies that offer cyber insurance has increased dramatically in recent years, from 26% in 2016 to 47% in 2020, according to the U.S. Government Accountability Office (GAO). The federal government’s renewed emphasis on cyber insurance may further fuel these numbers. MSPs can capitalize on this development by helping their customers meet the stringent security requirements to obtain coverage, and strengthen their overall security posture.
Strategic Objective 4.6: Develop a national strategy to strengthen our cyber workforce
The cybersecurity talent gap is big and growing. That has a negative impact on national cybersecurity that the Administration wants to address with the development and oversight of a National Cyber Workforce and Education Strategy. Led by the Office of National Cyber Director, it will take a comprehensive and coordinated approach to expand the national cyber workforce, improve diversity, and increase access to cyber education and training pathways.
The talent shortage has made it difficult for MSPs to grow their service portfolio. Although it will take some time before the initiative pays off, the problem is at least being addressed. However, MSPs can still strengthen their cybersecurity posture by leveraging vulnerability management, which relies more on technology than human resources as illustrated by the Cyber Defense Matrix.
Strategic Objective 5.5: Secure global supply chains for information, communications, and operational technology products and services
The US economy relies on globally interconnected supply chains that introduce systemic risks to the digital ecosystem. To mitigate these risks, the government will collaborate with private sectors and allies to make the supply chains more secure, resilient, and trustworthy, including efforts to shift supply chains to trusted vendors.
MSPs are part of the supply chain and must be involved in securing it. By identifying and remediating vulnerabilities before they become breaches, they can raise their own cybersecurity profile and play an active role in identifying best practices in cross-border supply chain risk management.
The Biden Administration's National Cybersecurity Plan presents both challenges and opportunities for MSPs. As the responsibility for securing cyberspace shifts towards organizations that are best equipped to handle it, MSPs must adapt by strengthening their cybersecurity offerings and prioritizing the security of their clients' systems.
The plan's focus on data protection, vendor accountability, cyber insurance, workforce development, and supply chain security could have significant implications for MSPs. By staying informed about these policy developments and proactively addressing emerging requirements, MSPs can set themselves apart in an increasingly regulated and security-conscious market. Investing in robust cybersecurity solutions, such as vulnerability management, will not only help MSPs meet the evolving demands of the market but also protect their clients, grow their businesses, and secure their place in the industry's future.
Contact ConnectSecure for more information or get started right away with a 14-day free trial of the ConnectSecure Vulnerability Manager.