New National Cybersecurity Strategy Shifts America’s Cyber Social, Business Contract
After months of anticipation, the White House released its long-awaited National Cybersecurity Strategy on Thursday to improve the security and resilience of U.S. critical infrastructure.
The strategy “fundamentally reimagines America’s cyber social contract,” said acting National Cyber Director Kemba Walden in a press call. “It will rebalance the responsibility for managing cyber risk onto those who are most able to bear it. Today across the public and private sectors, we tend to devolve responsibility for cyber risk downwards. We ask individuals, small businesses, and local governments to shoulder a significant burden for defending us all. This isn’t just unfair, it’s ineffective.”
“The biggest, most capable, and best positioned actors in our digital ecosystem can and should shoulder a greater share of the burden for managing cyber risk and keeping us all safe,” she continued. “This strategy asks more of industry, but also commits more from the federal government.”
The fundamental recommendation in the strategy is that a “voluntary approach to security is inadequate,” said Anne Neuberger, deputy national security advisor for cyber and emerging technology, in a panel discussion on the new strategy hosted by CSIS.
The strategy is designed to address existing cybersecurity threats and secure infrastructure against the threats of the future. It is constructed atop five pillars to build and enhance collaboration across agencies; state, local, and tribal governments; and the private sector.
Defend Critical Infrastructure
The strategy “will defend critical infrastructure by expanding minimum cybersecurity requirements for critical sectors, enabling public-private collaboration, and ensuring that our systems are kept to the level needed to meet the threat,” Neuberger said in the press briefing call. “It’s critical, as I said, that the American people have confidence in the availability and resiliency of our critical infrastructure and the essential services it provides.”
Some of this work has already been undertaken in the pipeline sector following the Colonial Pipeline ransomware attack. The Biden administration announced and implemented cybersecurity requirements for pipelines after the incident, along with additional requirements for railways. Neuberger said that more minimum cybersecurity requirements for other sectors are forthcoming.
“We recognize we need to move from just a public-private partnership, information-sharing approach to implement minimum mandates,” she said. “Information sharing and public-private partnerships are inadequate for the threats we face when we look at critical infrastructure.”
The administration will also look to enhance the cybersecurity and resilience of cloud service providers—third-parties that many critical sectors rely on—by working with industry, Congress, and regulators, according to the strategy.
But this will not happen in a vacuum. The strategy makes clear that the administration will keep in mind that critical infrastructure sectors have varying abilities to absorb the cost—both financial and human—of additional cybersecurity measures.
“In some sectors, regulation may be necessary to create a level playing field so that companies are not trapped in a competition to underspend their peers on cybersecurity,” the strategy said. “In other sectors, regulators are encouraged to ensure that necessary investments in cybersecurity are incentivized through the rate-making process, tax structures, and other mechanisms.”
Brian Harrell, former assistant secretary for infrastructure protection at DHS, says the new strategy is informed by major recent events, including SolarWinds, Log4j, the Colonial Pipeline ransomware attack, and the techniques of adversarial-nations like China and Russia.
“The strategy shifts the burden from end users to the tech sector and manufacturers, requiring that hardware and software makes devices more secure by design,” Harrell explains. “Building security into the product from the beginning, rather than a bolt-on after the fact, is a more secure and cost-conscious approach. Of course, it’s not possible to eliminate all defects, but right now there’s little incentive—beyond just general market reputation—to invest in a dramatic reduction of cyber vulnerabilities.”
Disrupt and Dismantle Threat Actors
The second pillar of the strategy focuses on disrupting and dismantling the ecosystem that allows cybercriminals to flourish due to the low cost of conducting attacks and limited ability to hold them accountable for their actions.
At the CSIS event, Walden explained that with the proliferation of cybercrime as a service, the United States needs to reduce the profitability of cybercrime and hold the private sector accountable for allowing criminals to use their infrastructure for their activity.
To do this, the strategy outlines goals to use “all instruments of national power to disrupt and dismantle threat actors whose actions threaten our interests,” including diplomatic, informational, military, financial, intelligence, and law enforcement capabilities. It will also require identifying ransomware as a national security threat, Neuberger said.
Achieving the goal of disrupting these criminal networks will involve creating multi-agency disruption campaigns that target criminal networks, rendering them unprofitable—methods that the U.S. government is already using to disrupt ransomware groups.
It will also require the federal government to work with cloud and Internet infrastructure providers to identify misuse of U.S.-based infrastructure, share reports of malicious activity with the government, and make it more difficult for malicious actors to gain access to them in the first place, the strategy explained
“All service providers must make reasonable attempts to secure the use of their infrastructure against abuse or other criminal behavior,” according to the strategy. “The administration will prioritize adoption and enforcement of a risk-based approach to cybersecurity across Infrastructure-as-a-Service providers that addresses known methods and indicators of malicious activity.”
Shape Market Forces to Drive Security and Resilience
To drive resilience across U.S. networks, the strategy commits the federal government to using its purchasing power and grant-making ability to incentivize security, reshape laws governing data losses and harm caused by cybersecurity errors, and explore how to stabilize insurance markets against catastrophic risk to drive better cybersecurity practices.
The strategy lays out that the administration plans to work with Congress and the private sector to develop legislation to establish liability for software products and services.
“Any such legislation should prevent manufacturers and software publishers with market power from fully disclaiming liability by contract, and establish higher standards of care for software in specific high-risk scenarios,” the strategy explained. “To begin to shape standards of care for secure software development, the administration will drive the development of an adaptable safe harbor framework to shield from liability companies that securely develop and maintain their software products and services.”
The Institute for Security and Technology (IST) is leading an effort to secure the open-sour software ecosystem following the release of the Log4j vulnerability last year. In a blog post, the institute said that ensuring companies understand their cybersecurity obligations and providing incentives to implement them will help create the conditions needed to elevate the cybersecurity posture of the United States.
“Building security from the ground up is both more secure and less costly in the long run than trying to do so retroactively,” IST said in its blog. “Given that software forms an essential foundation in the cybersecurity ecosystem, we commend the strategy’s focus on its security.”
Invest in a Resilient Future
The strategy is not just about addressing the current risk landscape, but also stresses the need to position the United States to address the cyber risks of the future by making technology, infrastructure, and workforces more resilient.
“To do that, we need to make it so that when public- and private-sector entities face trade offs between easy but temporary fixes and durable and long-term solutions, they are incentivized to consistently choose the latter,” Walden said in the press call. “This strategy calls for investments in our cyber workforce, our infrastructure, and the digital ecosystems underlining the technologies to improve our national resilience and economic competitiveness. Rebalancing the responsibility to defend cyberspace and incentivizing investments in a resilient future are the fundamental shifts that guide the president’s strategy.”
Outlined in the strategy are plans to have the federal government lead by ensuring its networks have implemented security measures while working with stakeholders to develop and adopt improve Internet ecosystem security solutions. It also outlines a commitment for the United States to be heavily involved in supporting non-governmental Standards Developing Organizations to partner with industry leaders, allies, academics, professional societies, consumer groups, and nonprofits to secure emerging technology while protecting national security and economic advantage.
Additionally, the strategy commits the federal government to investing in research, development, and design to secure three families of technology that will be “decisive for U.S leadership” in the next decade: computing-related technologies (microelectronics, quantum information systems, and artificial intelligence); biotechnologies and manufacturing; and clean energy technologies. It also commits to encouraging and enabling investment in digital identity solutions to reduce fraud.
Forge International Partnerships to Pursue Shared Goals
Beyond investments and regulations for the United States, the strategy also commits to working with the international community to build a shared digital ecosystem that is more resilient and defensible.
The U.S. Department of State is leading some of these efforts already and with the release of the strategy has recommitted itself to coalition building, strengthening international partner capacity, improving foreign assistance for recovery and response, and setting norms and deterrence models.
“The U.S. commitment to international partnerships on cyber issues remains strong, and the Strategy emphasizes working with our allies and partners to build a defensible, resilient, and values-aligned digital ecosystem,” according to a State Department press release. “Advancing shared goals requires promoting a global cyberspace where responsible state behavior is expected and where irresponsible behavior is both costly and isolating.”
The strategy, however, is only as good as its implementation plan, Harrell says.
“My hope is the strategy urges conversation at the industry board level and emphasizes cybersecurity as a critical business risk,” he adds.
The administration has not released a target date for the implementation plan to be available. When it is issued, however, National Security Council staff will coordinate and implement the efforts in coordination with the U.S. Office of Management and Budget (OMB) and the Office of the National Cyber Director (ONCD).
Walden said at the CSIS event that she is looking forward to the challenge of implementing the strategy, explaining that implementation is what the ONCD was set up to do.
“We were built with the intent of implementing a strategy as robust and forward-leaning as this one,” she added.