White House Releases National Cybersecurity Strategy
March 20, 2023 - Earlier this month, the Biden administration released the long-awaited National Cybersecurity Strategy.
The world is increasingly complex and cyberthreats are growing more sophisticated, with ransomware attacks running into millions of dollars in economic losses in the US. In 2022, the average cost of a ransomware attack was more than $4.5 million, according to IBM.
Cybercrime and cyber insecurity were seen by risk experts surveyed for the World Economic Forum's Global Risks Report as the 8th biggest risk in terms of severity of impact, across both the short term (next two years) and over the coming decade.
Ultimately, the administration believes that to achieve greater cyber-security, those in the best position to secure systems and software-which can neither be small businesses nor end users-must be responsible for securing them. Additionally, the strategy reflects the administration's belief that long-term incentives should encourage investment in cybersecurity. This strategy reveals that even though the government has a significant role to play in achieving these outcomes, the private sector is also expected to tackle U.S. technology's vulnerability.
Following is a non-exhaustive overview of this strategy through the lens of its five distinctive pillars:
1. Defend critical infrastructure. This pillar builds upon the government’s current efforts to protect the nation’s critical infrastructure, while advancing the call to operationalize collaborative defense, including by:
Expanding the use of minimum cybersecurity requirements in critical sectors to ensure national security and public safety and harmonizing regulations to reduce the burden of compliance.
Enabling public-private collaboration at the speed and scale necessary to defend critical infrastructure and essential services; and,
Defending and modernizing Federal networks and updating Federal incident response policy
2. Disrupt and dismantle threat actors. This pillar seeks to prevent malicious actors from mounting cyber campaigns that threaten the nation’s security or public safety, including by:
Strategically employing all tools of national power to disrupt adversaries.
Engaging the private sector in disruption activities through scalable mechanisms; and,
Addressing the ransomware threat through a comprehensive Federal approach and in lockstep with international partners.
3. Shape market forces to drive security and resilience. This pillar is aimed at shifting responsibility for cybersecurity to entities that are the best positioned to mitigate risk, and at redirecting the consequences of poor cybersecurity away from the most vulnerable, including by:
Promoting privacy and the security of personal data.
Shifting liability for software products and services to promote secure development practices; and,
Ensuring that Federal grant programs promote investments in new infrastructure that are secure and resilient.
4. Invest in a resilient future. This pillar primarily addresses public sector calls to action aimed at enhancing the U.S. public and private sector cybersecurity posture, including by:
Reducing systemic technical vulnerabilities in the foundation of the Internet and across the digital ecosystem while making it more resilient against transnational digital repression.
Prioritizing cybersecurity R&D for next-generation technologies such as postquantum encryption, digital identity solutions, and clean energy infrastructure; and,
Developing a diverse and robust national cyber workforce
5. Forge international partnerships to pursue shared goals. This pillar provides that the U.S. will develop best practices in coordination with U.S. allies and partners to “shift supply chains to flow through partner countries and trusted vendors.”, including by:
Leveraging international coalitions and partnerships among like-minded nations to counter threats to the digital ecosystem through joint preparedness, response, and cost imposition.
Increasing the capacity of the partners to defend themselves against cyber threats, both in peacetime and in crisis; and,
Working with allies and partners to make secure, reliable, and trustworthy global supply chains for information and communications technology and operational technology products and services.
The Cybersecurity strategy emphasizes the protection against critical infrastructure elements such as water, electrical, transportation, and other essential services, and places more burdens on larger software companies on ensuring their solutions meet the industry practices for secure software development. Open-source software, presumably, remains unimpacted.
There will likely be public fundings or grants available to support the development of the next cybersecurity solutions and cyber-aware workforce. Unfortunately this tune has been played for at least seven years, and cybersecurity workforce still remains inadequate.
The United States has long collaborated with its cybersecurity partners in the take of international ransomware gangs. It would be interesting to see what additional collaboration in terms of execution, tools and prosecution.
The Biden administration’s National Cybersecurity Strategy puts forth an ambitious vision for U.S. cybersecurity—one to be attained by the end of the decade. To achieve a more cyber-secure future, the administration seeks to realign roles and responsibilities to those entities in the best position to secure systems and software and to promote incentives for investment in cybersecurity over the long term.
Private sector organizations are well-advised to begin assessing the impact of the Strategy on their business, especially as the Strategy implementation aims to focus on accountability mechanisms and shifting liability. In the short term, companies providing software products and services into the U.S. market may wish to evaluate how the Administration’s focus on liability-shifting may impact their development lifecycle, contracting strategy, and overall cyber risk management processes.
In presenting this aggressive strategy, the Biden administration has set a high bar for cybersecurity that will be hard for future administrations to ignore. It has also put Congress on notice for where it will need to act.