Cybersecurity baseline

National Cyber Director Mulling Cybersecurity Mandates for Critical ICT Products

The White House’s top cyber adviser is looking into establishing baseline cybersecurity requirements for critical information and communications technology products.

The U.S. government has shown that it expects American companies to voluntarily take steps to strengthen their own cybersecurity. However, National Cyber Director Chris Inglis said that a company’s interest in delivering a secure product might not always be enough. He said that the government might need to step in at some point to dictate which security features are mandatory, Defense Systems reported Tuesday.

Inglis, a 2022 Wash100 winner, drew a comparison between ICT and the automobile sector, where “you don’t have to independently negotiate for an air safety bag or a seatbelt or anti-lock brakes.” Such features are in cars today largely because of government mandates, Inglis said at a June 13 event hosted by the Information Technology Industry Council.

Inglis acknowledged that drafting similar measures for ICT products would be more difficult because of their wide use across industries. According to the director, his office is providing counsel on relevant legislative and policy recommendations. He said that the bulk of what his team receives are requests for comment on what counts as “truly critical.”

Inglis added that the government also needs to concentrate cybersecurity responsibilities on software developers whose products are widely used. He highlighted the Kaseya ransomware attack as an example of how an end user can suffer the consequences of the developer’s failures.