Why ‘Made in the USA’ Matters in Cybersecurity
Prioritizing Domestic Development: The Imperative of Choosing US-Made
Open-source software has long been the backbone of digital spaces, with up to 70% of all sites on the Internet built on the popular Apache HTTP Server from the Apache Software Foundation. The ubiquity of Apache, and its known weaknesses, makes it a popular target for hackers, as evidenced by parts of the 2017 Equifax breach and the 2021 log4j vulnerability exploit. Given concerns over weaknesses in the global software supply chain, the White House tasked NIST in 2021 with establishing a set of best practices to enhance software security. This has led to an ongoing focus on requiring a software bill of materials (SBOM) to protect the digital supply chain.
The same emphasis on software’s components should be applied to the origin of the tools used in cybersecurity. U.S.-developed cybersecurity tools not only boost our economy but are inherently aligned to domestic threats and geopolitical pressures.
Consider three key concerns with offshore development of cybersecurity tools:
- Data Security and Privacy: Transferring sensitive components and information across borders might expose data. States like California, Nevada, and Maine enforce strict data privacy requirements, and legislation is pending in 14 additional states to bolster the management and sharing of personally identifiable data (PII).
- Quality Control: Offshoring can introduce consistency challenges that expose networks to large-scale attacks. For instance, the Mirai Botnet attack in 2016 exploited weak default passwords on IoT devices, many of which are produced abroad.
- Geopolitical Considerations: Escalating international tensions, such as Russia’s invasion of Ukraine in 2022 or the Israel-Hamas conflict, highlight concerns about software originating from unstable regions.
Offshore development risks are largely mitigated by companies building cybersecurity tools exclusively on American soil. U.S. regulations and standards, like the NIST framework, are crafted to address the unique challenges of the American digital environment. Adhering to these benchmarks ensures cybersecurity tools offer more comprehensive protection for U.S. entities. For instance, U.S.-based CrowdStrike was among the first to detect and combat Russian cyber espionage activities on American soil. Moreover, supporting U.S.-based cybersecurity solutions like Palo Alto and FireEye fosters local technological innovation, reinforcing national economic strength and security resilience.
While many argue in favor of foreign development due to cost, the perceived savings often are overshadowed by unforeseen expenses. Breaches or outdated tools can result in costs that far exceed any initial savings. U.S.-made solutions typically uphold higher standards for post-sales support, which is vital for maximizing the utility of any cybersecurity tool.
Security leaders face the challenge of balancing their organization’s cybersecurity needs with available resources. Choosing U.S.-based cybersecurity tool development is a strategic long-term investment with lasting benefits. Investing domestically boosts the U.S. economy, promoting growth, job creation, and overall resilience. By advocating for local development, organizations can address the talent shortage in cybersecurity, fostering a new generation of skilled professionals. This talent investment strengthens current defenses and ensures a continuous influx of experts for future challenges. A thriving U.S. cybersecurity industry can also draw global talent, positioning the U.S. as a primary center for cybersecurity innovation.
Selecting U.S.-made cybersecurity solutions represents a long-term commitment, underscoring trust, cultivating domestic expertise, and strengthening national digital defenses. Each investment decision embodies broader aspirations for a secure cybersecurity ecosystem. Businesses that acknowledge this not only bolster their own security but also advocate for a robust, resilient, and secure national digital environment.