What's New in the National Cybersecurity Strategy?

This past week, the White House unveiled a new national cybersecurity plan with five pillars. What is the plan, and how will it affect both the public and private sectors of the economy?

‍

The much-awaited National Cybersecurity Strategy was unveiled on March 2, 2023, to widespread criticism in the defense and cybersecurity sectors.

‍

First, the White House fact sheet on the new National Cybersecurity Strategy's highlights are as follows:

‍

1. By transferring the burden for cybersecurity away from people, small enterprises, and local governments and onto the institutions that are most capable and best-positioned to lower threats for all of us, we must rebalance the responsibility for defending cyberspace.

‍

2. By striking a careful balance between protecting ourselves from immediate risks today and concurrently proactively planning for and investing in a robust future, we must realign incentives to favor long-term investments.

‍

Below is a link to the National Cybersecurity Strategy. There is an introduction, a section on execution, and five pillars that make up the strategy's core. The following is the table of contents:

‍

PILLAR 1 | DEFEND IMPORTANT STRUCTURE

PILLAR 2 | THREAT ACTORS SHUT DOWN AND BE DISMANTLED

PILLAR 3 | IMPROVE SECURITY AND RESILIENCE BY SHARING MARKET FORCES

PILLAR 4 | PUT MONEY INTO A RESISTANT FUTURE

PILLAR 5 | CREATE INTERNATIONAL PARTNERSHIPS TO ADVANCE THE IMPLEMENTATION OF SHARED GOALS

‍

Deputy National Security Advisor for Cyber and New Technologies Anne Neuberger and Acting National Cyber Director Kemba Walden contributed to this online discussion of the plan, which was published by the Center for Strategic and International Studies (CSIS) this week.

‍

COVERAGE IN THE MEDIA

The new National Cybersecurity Strategy has received extensive and varied media coverage. This is a compilation from some of the best angles:

‍

CNN

Putting software makers at risk for hacking holes left by their products was at the center of the White House's ambitious cyber initiative released on Thursday.

‍

According to the strategy, developed in response to major hacking incidents which threatened key public services in Biden's first year in office, the government is taking advantage of its regulatory and purchasing power to enforce cyber security measures on companies that are critical to national and economic security.

‍

According to the U.S. government, it reflects the widespread belief that foreign governments, such as Russia, and cyber criminals, cannot be stopped by market forces.

‍

Wall Street Journal

Excerpt: "The 35-page study provides recommendations on a broad range of cyber policy, from international coordination on combating cybercrime to safeguarding Internet-connected gadgets. It was supervised in part by previous National Cyber Director Chris Inglis, who resigned in February.

‍

"The new approach replaces a report that the Trump administration released in 2018.

‍

"Other components of the strategy are speculative, including the recommendation that the federal government evaluate the necessity for a government backstop for cyber insurers. Others call for more immediate action, such as ideas for rules that would set minimum cybersecurity requirements in key infrastructure industries like water, financial services, and healthcare.

‍

Kemba Walden, the acting national cyber director, told reporters on a conference call on Wednesday that the president's approach "fundamentally reimagines America's cyber-social relationship. It will shift the burden of managing cyber risk onto people who are best equipped to handle it, she said.

‍

The Record

Excerpt: "The strategy highlights many of the cybersecurity rules that have already been established for aviation, rail, water, and natural gas pipelines. The White House intends to engage with Congress to close any "gaps in statutory authorities to enforce basic cybersecurity requirements or alleviate related market failures," but it also acknowledges that more will be required.

‍

Top administration officials remained mum on which businesses Congress would need to regulate or which industry would be the next to be subject to binding laws. But they also mentioned that in the upcoming months, the Environmental Protection Agency will start implementing new cybersecurity regulations on water plants.

‍

"The strategy highlighted that the federal government requires to do a better job of outlining how partners can contact federal agencies for assistance during cyber incidents and what types of support the federal government may provide. The Cybersecurity and Infrastructure Security Agency (CISA) is taking the lead on a new National Cyber Incident Response Plan and accident report guidelines.

‍

The strategy also places a lot of emphasis on the requirement that U.S. agencies go on the offense against cyber risk actors, using both more forceful tactics and tried-and-true techniques like penalties and legal action.

‍

HealthITSecurity

Excerpt: According to Mike Hamilton, CISO of Critical Insight, "the health-care sector will be impacted by three specific elements as well as the federal government's attempts to disrupt criminal infrastructure" and is implicitly included in the strategy's discussion of critical infrastructure.

‍

"First, there will be an increase in regulatory requirements, perhaps with a stronger emphasis on third-party risk management. Assessing and keeping track of third-party security protocols will be an extra regulatory effort because of the growing tendency to compromise healthcare entities through commercial partners.

‍

In fact, vendor responsibility is one of the document's main areas of attention. According to the government, the responsibility for cybersecurity should be shared by "the individuals who are in charge of the systems that house our data and make our society run" as well as the technology companies these individuals who are in charge rely on.

‍

"Second, the effort to collaborate with vendors to guarantee the security of IoT devices, particularly medical IoT, will assist to relieve the burden on health care to protect goods after implementation," Hamilton continued.

‍

Axios

The policy also labels ransomware as a "threat to national security, public safety, and economic success," which might lead to the intelligence community allocating additional resources to combat the issue.

‍

• In order to encourage businesses to strengthen their cybersecurity, cybersecurity standards will continue to be incorporated into federal grant programs and the procurement procedure.

‍

Between the lines: A significant portion of the national cybersecurity policy draws on initiatives already undertaken by the Biden administration, such as the eradication of ransomware gangs and a review of rules for critical infrastructure sectors.

‍

• Anne Neuberger, the deputy national security adviser for cyber and emerging technology, told reporters that much of the work they had done on key infrastructure was already in progress. "The strategy codifies the first two years of implementing basic cybersecurity requirements for pipelines, for railways, and soon for new industries we'll be announcing," says the statement.

‍

The administration views the policy as a long-term, 10-year plan rather than something that can be adopted immediately, a senior administration official told reporters.

‍

• For instance, Congress would need to approve legislation that would demand involvement from the private sector and hold software developers accountable for data security vulnerabilities.

‍

Throughout the course of the upcoming year, as the specifics, ramifications, and action plans become more apparent, expect to see a significant increase in the amount of writing and discussion around this new national cybersecurity strategy.

‍

But, I believe that this eagerly awaited plan is a great move forward for the White House and CISA. The previous Trump government's cyber strategy was disclosed in 2018, therefore I must admit that I am shocked that the Biden administration has taken this long to release it.

‍

The approach accelerates current trends toward more regulation and compliance and introduces novel perspectives on vendor accountability and cyber insurance that will take time to materialize.

‍

This blog has a YouTube video discussion, which cyber pros should watch, and work with their teams to determine how this impacts their companies and industries.