"National Cybersecurity Strategy" is a document issued from the White House by the Biden-Harris Administration earlier this month. In this document, they state that through a new strategy —with the same name— there will be substantial changes, starting in the United States, concerning cyberspace and its use. Changes that will reflect its values, such as public safety and economic prosperity, respect for human rights, and trust in democracy. As the fact sheet declares, this strategy comes in addition to previous and concurrent plans and efforts, such as the National Security Strategy, the National Defense Strategy, the Executive Order 14028, the National Security Memorandum 5, M-22-09, and the National Security Memorandum 10.
This strategy and other projects attest to the fact that the U.S. recognizes that cybersecurity is essential to its economy, democracy, information privacy, and national defense. In cooperation with the private sector, President Biden's Administration has worked to strengthen the country's cybersecurity and, together with international allies and partners, aims to improve collective prevention, defense, and response to cyber threats from around the world that run counter to shared interests.
Implementing the National Cybersecurity Strategy will require efforts, collaboration, and investments by the U.S. government, international allies, partners, civil society, and the private sector. Throughout implementation, the Federal Government will collect and monitor data related to investments, progress, results, and effectiveness of efforts. Furthermore, it will prioritize applying lessons learned from previous cyber incidents and seek to keep up with the constant and accelerating changes within the cyber ecosystem. Let's look at the issues this strategy aims to address and the pillars on which it is based.
What are the problems to be addressed with this strategy?
The cyber environment continues to expand and complexify at an accelerated pace. Not only in structural and interconnection matters, for the good of companies and consumers, but also in terms of cyber risks and threats. Every day, criminal groups, including those backed by governments of autocratic nations, dissenting from the interests and norms of the U.S. and allied countries, target organizations and users worldwide. They seek to exploit both vulnerabilities in computer systems and in the people who operate them. They mainly aim to achieve the theft of sensitive information or monetary assets and the disruption of operations or services.
As interdependencies in the digital ecosystem increase, cyberattacks on a few spread rapidly, affecting many as a consequence. As the amount of sensitive information stored within cyberspace grows, more people are at risk. These are common problems today in the field of cybersecurity. This strategy seeks to address them with a more outstanding and larger-scale commitment, aiming for positive changes to strengthen the defense, resilience, and national values such as safety, democracy, and economic prosperity.
What is this new strategy based on?
The National Cybersecurity Strategy hinges on five pillars that, for their part, depend on two fundamental changes. The first change is referred to as "rebalance the responsibility to defend cyberspace." What they seek in the Administration is to shift the cybersecurity burden falling on individuals, small businesses, local governments and other groups with limited resources to those organizations better positioned and capable of reducing the risk exposure of all stakeholders within this shared digital ecosystem. The second change is "realign incentives to favor long-term investments." The goal here is for stakeholders in their cybersecurity to achieve a balance between short- and long-term obligations. Public programs and market forces can contribute by rewarding early adoption of security and resilience, coordinating investments in cybersecurity, and promoting a collaborative approach to a better future.
The five pillars of this strategy are the following:
1. "Defend critical infrastructure"
From this pillar, the ideal is to instill confidence in citizens in the availability and security of critical infrastructure and its services. Unfortunately, the rewards the market grants to companies that own and operate such infrastructure and voluntarily implement cybersecurity risk prevention and mitigation strategies are insufficient. Likewise, there has been a lack of mandatory requirements that encourage the implementation of preventive measures, so the Administration is focusing on establishing them and expanding the use of at least (but encouraging going beyond) minimum requirements for cybersecurity practices and outcomes in critical sectors.
In addition, in all sectors, the Administration seeks to modernize regulatory frameworks (basing them on existing standards and guidelines), better adapt them to each sector's changing risks and threats, and harmonize them to avoid duplication and streamline their implementation. In line with what Fluid Attacks usually shares, they state: "The most effective and efficient regulatory frameworks will be those put in place well before a crisis, rather than through the imposition of emergency regulations after a crisis occurs."
Here, the Administration emphasizes enabling and fostering collaboration between public and private organizations to defend critical infrastructure and its essential services and prevent their disruption. It also highlights the model to follow that the Federal Government can represent and the support it can provide to the defense of critical infrastructure by modernizing the security of its own networks and systems (under the principle of zero trust) and improving its incident response policies. When sectors of the critical infrastructure request support from the Federal Government, it should coordinate authorities and efforts for a unified response backed by predefined support possibilities and guidelines.
2. "Disrupt and dismantle threat actors"
Part of the purpose of this pillar is to make it impossible for cybercriminals to mount or maintain campaigns that threaten the security of the U.S. Already, the Federal Government has improved its capabilities to respond to cybersecurity incidents; it has arrested, prosecuted, and sanctioned transnational threat actors, and recovered enormous amounts of money from illicit activities. Based on these and other successes, again highlighting the need for continued and coordinated cross-sector collaboration, it intends to persist in enhancing its strategies to thwart campaigns before they impact, render them non-profitable, and dismantle cybercriminal groups.
The Administration intends to encourage support from the private sector, mainly since this sector has achieved a very broad understanding of criminal activity with its threat-hunting operations and its accelerated optimization of capabilities and technologies. The Federal Government also seeks to increase the speed and scale of threat intelligence transmission to provide early warning to potential or actual victims and defender teams. In addition, with a specific focus on ransomware attacks, the U.S. aims to investigate this type of crime further, leverage international authority and cooperation to disrupt the operations of perpetrator groups, strengthen the resilience of its critical infrastructure to withstand these attacks, and improve law enforcement against illicit cryptocurrency exchanges.
3. "Shape market forces to drive security and resilience"
According to the Administration, cyberattacks' severe and ongoing impacts on sensitive information and industrial operations "make clear that market forces alone have not been enough to drive broad adoption of best practices in cybersecurity and resilience." Many organizations do not invest enough in cybersecurity and end up affecting, for instance, small businesses that rely on them to some extent. In this case, the U.S. aims to change the situation through the reformulation of laws that regulate the responsibilities of those who collect and manage personal data and those who, due to errors in the development of technology and lack of protection, allow losses or damages that fall on citizens. Many providers continue to ignore secure development or coding, as well as security testing, and introduce vulnerable products or services into cyberspace, and, because of their position in the market, they manage to abdicate their liabilities by contract. The Administration intends to start shifting these responsibilities to them, especially to the most qualified ones, and to establish higher security standards for high-risk scenarios.
The Federal Government will use purchasing power and grant-making to incentivize the adoption of cybersecurity best practices. The idea is to invest in new infrastructures that are secure and resilient by design and to maintain them that way throughout their lifecycle. Moreover, the Administration will encourage coordinated disclosure of vulnerabilities in all technologies and further development of SBOMs. It will also develop processes to identify and mitigate risks in unsupported software used in critical infrastructure. Finally, it seeks to prioritize funding for research and development in cybersecurity technologies, especially those to strengthen critical infrastructure.
4. "Invest in a resilient future"
On the one hand, the Administration recognizes the vulnerabilities in the fundamental structure of the Internet and those that arise when something new is built on top of it. In response, it will rely on investment and collaborative action to develop and implement security solutions in its networks and reduce such vulnerabilities on the Internet. On the other hand, it emphasizes prioritizing research, development, and demonstration (RD&D) in cybersecurity for new-generation technologies such as quantum information systems, biotechnology, and clean energy infrastructure. The idea is to invest in RD&D projects to advance cybersecurity in areas such as encryption (see, for example, post-quantum cryptography), artificial intelligence, cloud infrastructure, operational technologies, telecommunications, and data analytics.
Additionally, in this pillar, the Administration acknowledges the shortage of specialized cybersecurity personnel within and outside the nation. As a response to this, it seeks to contribute investment to enable greater access to education in this field and expand, diversify, and maintain a strong workforce.
5. "Forge international partnerships to pursue shared goals"
The Administration aims to build a coalition with other countries "to maintain an open, free, global, interoperable, reliable, and secure Internet." Ideally, through international collaboration, it will address common threats, punish and disrupt transnational criminal groups, protect against repression by them, help improve the capacity of coalition members, strengthen and defend globally accepted norms, and build an increasingly secure and resilient ecosystem. The U.S. and its allies will be able to "advance common cybersecurity interests by sharing cyber threat information, exchanging model cybersecurity practices, comparing sector-specific expertise, driving secure-by-design principles, and coordinating policy and incident response activities."
Finally, other aspects of this last pillar include the U.S. interest in working collaboratively to generate new international law enforcement mechanisms, create secure, transparent, and reliable global supply chains for different technology products and services, and support investigations, response, and recovery of allies affected by incidents.
Is your company, inside or outside the United States, interested in improving and preserving a preventive cybersecurity posture? Contact us, and with our continuous manual and automated security testing, we'll help you get there!
Recommended blog posts
You might be interested in the following related posts.
Definition, implementation, importance and alternatives
Vulnerability scanning and pentesting for a safer web
Definitions, classifications and pros and cons
Is your security testing covering the right risks?
How this process works and what benefits come with it
Get an overview of vulnerability assessment
Benefits of continuous over point-in-time pentesting
For which security standards is pentesting a must-have?