From suspicious links to a fundamental shift: the new National Cybersecurity Strategy

A breakdown of the new National Cybersecurity Strategy from the White House

On March 2, 2023, the Biden administration released its much-anticipated National Cybersecurity Strategy. The strategy centers around “two fundamental shifts” on how the US approaches cyberspace: rebalancing the burden of cybersecurity to technology companies and incentivizing long-term investments in cybersecurity. With these two shifts in mind, the strategy lays out five pillars to realize its vision for a defensible, resilient and values-aligned digital ecosystem among the U.S. and its allies.

The strategy also emphasizes the need for collaboration with the private sector and critical infrastructure operators, a more proactive approach to cyber defense and disrupting malicious actors, and building international coalitions and partnerships. 

An implementation plan for the strategy is forthcoming. The National Security Council, Office of Management and Budget and the Office of National Cyber Director will lead the interagency effort and develop new policy as necessary.

Rebalancing responsibility

The first fundamental shift in the strategy acknowledges the challenges facing end users who bear the burden of cybersecurity. Safety and security in cyberspace should be the responsibility of those organizations “most capable and best positioned” to do so, and not, as it stands today, on the individual, small businesses and state and local governments. Those “best positioned” organizations include technology companies who develop and maintain the software products and services the world relies on.

““A single person’s momentary lapse in judgment, use of an outdated password, or errant click on a suspicious link should not have national security consequences.””

— National Cybersecurity Strategy

Realigning incentives

The government must balance the need to protect existing systems with ensuring the future digital ecosystem will be secure by design. Utilizing “all tools available,” the government aims to align the public and private sectors to achieve “gains in defensibility and systemic resilience.” The strategy puts everything on the table to achieve these goals, from implementing regulations to investments, in order to incentivize a more secure future in cyberspace.

Pillar One: Defend Critical Infrastructure

With its discussion of new regulations, this pillar has generated a lot of interest among industry. The country relies on critical infrastructure to function, from energy to water to banking, and these sectors are valuable targets for malicious cyber attacks carried out by criminal groups and nation states. They are also almost entirely operated by the private sector, creating disconnects in information sharing with government security entities and regulatory requirements from administrative agencies. 

““While voluntary approaches to critical infrastructure cybersecurity have produced meaningful improvements, the lack of mandatory requirements has resulted in inadequate and inconsistent outcomes. Today's marketplace insufficiently rewards and often disadvantages the owners and operators of critical infrastructure who invest in proactive measures to prevent or mitigate the effects of cyber incidents.”
”

The strategy proposes minimum cybersecurity standards for critical infrastructure operators, a departure from the often voluntary, non-binding standards in place now. For some sectors, new legislation will need to be passed in order to give the responsible agencies regulatory authority. In conjunction, the government aims to enhance information sharing, enabling the government to more rapidly share detailed cyber threat intelligence with critical infrastructure operators and can alert the government and other stakeholders of potential risks or breaches.

The administration acknowledges the federal government must also modernize its own systems and harden its defenses. Investing in federal cybersecurity and implementing zero-trust architecture can serve as a model for integrated and modern secure networks in the private sector.

Pillar Two: Disrupt and Dismantle Threat Actors

This pillar makes clear that all elements of government power will be leveraged, integrated and sustained in order to combat and defend against malicious cyber threat actors. Federal law enforcement, the Department of Defense and the Intelligence Community will continue to thwart attacks while enhancing their cooperation with allies, partners and the private sector.

““The timely sharing of threat intelligence between Federal and non-Federal partners enhances collaborative efforts to disrupt and dismantle adversaries. Open-source cybersecurity intelligence and private sector intelligence providers have greatly increased collective awareness of cyber threats, but national intelligence that only the government can collect remains invaluable.””

The strategy gives particular attention to ransomware given its outsized impact on critical infrastructure and national security. The strategy outlines the administration’s plan to combat ransomware via international cooperation, targeting ransomware infrastructure, improving critical infrastructure defenses and cryptocurrency investigations.

Pillar Three: Shape Market Forces to Drive Security and Resilience

In order to shift the burden of security on to “those best positioned to reduce risk” the administration recognizes that the marketplace must incentivize tech providers to invest in secure products and services. While new regulations certainly serve as a forcing function to change market participant behavior, other government efforts are needed to shape the marketplace itself in a sustainable manner. 

““Markets impose inadequate costs on and often reward those entities that introduce vulnerable products or services into our digital ecosystem.””

The strategy proposes changes aimed at three market segments — personal data, Internet of Things (IoT) and software. First, the administration calls for legislation that would create clear guidelines for how Americans’ personal data is collected, handled, stored and transferred. Second, incentivize secure development of IoT through funding research and development and establishing a security labeling system for the devices. Finally, software manufacturers often face perverse incentives to secure their products. The strategy proposes a new framework that will hold liable companies who fail to reasonably secure their products. To do so, the strategy calls for legislation that prohibits contract language fully disclaiming liability in conjunction with a “safe harbor framework” to protect companies who abide by secure development practices, along with establishing industry-wide vulnerability disclosure programs.

Pillar Four: Invest in a Resilient Future

The administration will prioritize government investments in securing the internet and supporting development of new technologies that are critical to achieving the administration’s goal of a safe and resilient digital ecosystem. 

Investments will take place across various areas, including foundational Internet security, a comprehensive cybersecurity R&D plan, preparing for a post-quantum world, clean energy, digital identity solutions and cyber workforce development. 
 

““The Internet is critical to our future but retains the fundamental structure of its past. Many of the technical foundations of the digital ecosystem are inherently vulnerable. Every time we build something new on top of this foundation, we add new vulnerabilities and increase our collective risk exposure.””

Pillar Five: Forge International Partnerships to Pursue Shared Goals

Establishing international norms of behavior in cyberspace has long been a challenge for the U.S. and its allies. The administration aims to bridge the gap through increased collaboration with both partner nations and engagement with opponent countries. The US will build international capacity to combat and deter irresponsible behavior in cyberspace leveraging existing partnerships and coalitions. As the strategy notes, many of those responsible for malicious cyberattacks against the U.S. are located in foreign countries which only increases the need for international cooperation.

““We must enable our allies and partners to secure critical infrastructure networks, build effective incident detection and response capabilities, share cyber threat information, pursue diplomatic collaboration, build law enforcement capacity and effectiveness through operational collaboration, and support our shared interests in cyberspace by adhering to international law and reinforcing norms of responsible state behavior.””

To learn how Authentic8 can help cybersecurity teams better investigate threats and protect your research, try Silo.