National Cybersecurity Strategy

On March 2, the White House issued the National Cybersecurity Strategy (the Strategy), a broad vision to reinvigorate the federal government’s approach to cybersecurity and address a wide spectrum of long-term challenges. The Strategy reflects the latest significant cybersecurity-focused activity from the Biden administration and contains an ambitious set of goals and initiatives.

The policy declaration is structured around the following five “pillars,” each of which contains multiple strategic objectives:

(1) defend critical infrastructure

(2) disrupt and dismantle threat actors

(3) shape market forces to drive security and resilience

(4) invest in a resilient future

(5) forge international partnerships to pursue shared goals

The Strategy also calls for fundamental shifts in how the nation allocates roles and responsibilities. Notably, the Strategy calls for “rebalancing” cybersecurity burdens to alleviate strains on end users and infrastructure operators and place more responsibility on “the most capable and best-positioned actors.”

Likely driven in part by recent high level cybersecurity incidents, the Strategy places a particular emphasis on marshaling a whole-of-government approach to ensuring effective cybersecurity practices in critical infrastructure sectors. Some of the key components of that approach are detailed below.

What Owners and Operators of Critical Infrastructure Need to Know
Pillar One:
The primary strategic objective under pillar one is for the federal government to establish mandatory, performance-based cybersecurity regulations in critical infrastructure sectors.

The federal government will use available authorities to achieve this objective, citing recent examples of mandatory requirements in the pipeline, rail, and aviation sectors led by the Transportation Security Administration (TSA) and in the water/wastewater sector led by the Environmental Protection Agency.

Pillars two through five of the Strategy are not limited to critical infrastructure, but include other notable goals and initiatives that will be relevant to critical infrastructure owners and operators, such as the following:

A congressionally directed engineering strategy for clean energy technology, such as distributed energy resources.

Adoption and enforcement of a risk-based approach to cybersecurity across infrastructure-as-a-service (IAAS) sectors to prevent malicious actors from exploiting US-based infrastructure (e.g., cloud infrastructure)

An enhanced focus on the pernicious threat of ransomware attacks, which have targeted critical infrastructure and essential services.

Development of national data privacy legislation to drive greater accountability for organizations holding and using sensitive data, such as personal, health, and geolocation information. Perhaps like the EU’s answer: GDPR (General Data Protection Regulation)

Development of legislation establishing liability for software and hardware products and services that are sold with little regard for security – insecure passwords and no automatic ability to have the end user change them when purchased and deployed.

Incentivizing the adoption of secure software development practices, including the development of software bills of material (SBOMs) to support supply chain risk mitigation

Assessing the need for a federal cyber insurance “backstop” mechanism in response to catastrophic cyber events

Using international coalitions to reinforce global norms of “responsible state behavior,” such as refraining from cyber operations that would intentionally damage critical infrastructure

Challenges and Open Questions
The Strategy acknowledges that fully realizing its goals will require significant coordination and cooperation, particularly among stakeholders in the federal government. In particular, several significant strategic objectives, including the shift to mandatory regulations and greater legal accountability for software providers, will require legislative action.

To read the Full Strategy:
https://www.whitehouse.gov/wp-content/uploads/2023/03/National-Cybersecurity-Strategy-2023.pdf

To review the White House Fact Sheet:
https://www.whitehouse.gov/briefing-room/statements-releases/2023/03/02/fact-sheet-biden-harris-administration-announces-national-cybersecurity-strategy/

Note: Even though many of us do not want the government sticking their fingers in our security and internet services, the Biden administrations vision for beefing up the nation’s collective cybersecurity posture could be a step in the right direction. The White House’s new national cybersecurity strategy also envisions a more active role by cloud providers and the U.S. military in disrupting cybercriminal infrastructure, and names China as the single biggest cyber threat to U.S. interests.