What to know about the new U.S. National Cybersecurity Strategy
Last Thursday, the Biden-Harris Administration officially published the new, much anticipated National Cybersecurity Strategy. The last strategy document was published in 2018, and much has changed in the last five years in terms of hybrid working, the growth in cloud adoption and the need to address industry-wide challenges around ransomware, software supply chain attacks and an uncertain geopolitical landscape.
The Biden Administration has not been idle in its approach cybersecurity. The Executive Order (EO) on Improving the Nation’s Cybersecurity was issued in May of 2021, followed by multiple National Security Memorandums covering zero trust, critical infrastructure and more. An increasingly active Cybersecurity and Infrastructure Security (CISA) agency also continues to drive industry and agency behavior through the establishment of the Known Exploitable Vulnerability (KEV) catalog and additional binding orders.
The Five Pillars of Cybersecurity
This ambitious new strategy is centered around five pillars, intended to address both immediate cybersecurity concerns and persistent attacks, as well as long-term structural issues across the wider industry, such as software vulnerability liability, the need for a skilled cybersecurity workforce and more.
The five pillars of the National Cybersecurity Strategy include:
- Defend Critical Infrastructure
This Administration has already introduced new regulation around cybersecurity for oil & gas, aviation and rail sectors. Now, they are looking to extend this across all critical national infrastructure. Details are light at this point and will be developed in consultation with industry, but the report highlights supply chain and cloud as areas that require greater attention.
This pillar also looks to align Federal efforts with the wider market, leading with CISA to address threat intelligence sharing and incident response best practices. The final section of this pillar is focused on effort to modernize outdated Federal defenses, working on Zero Trust principles to improve US government security posture.
- Disrupt and Dismantle Threat Actors
Pillar two focuses on efforts to grow public and private partnerships around intelligence sharing on threat actors. This focuses specifically on the work done by the Department of Justice (DOJ) and other agencies on the disruption of online criminal activity, including botnets and seizing cryptocurrency ransomware payments. It also prioritizes the need for US cloud service providers to secure their own environments and prevent them from being used to deliver cyber attacks. The key objective for this pillar is a coordinated, international effort to combat ransomware by improving target resilience and increasing the potential deterrents.
- Shape Market Forces to Drive Security and Resilience
‘Shaping market forces’ means increased regulation, which is planned for in multiple areas. First, a growth in consumer data protection standards—not only around the collection and use of personal data, but also their secure storage. Secondly, the risk posed by Internet of Things (IoT) devices, which are often difficult to patch or upgrade, building on the IoT Cybersecurity Act of 2020.
The third proposed legislation looks shifting liability from the buyer to the manufacturer of insecure software, likely to be a complex process given the nature of modern software development with open-source and common third-party libraries forming an extensive part of the code. A key part of this will be vulnerability disclosure and the wider adoption of SBOMs to provide greater insights into cyber risk.
- Invest in a Resilient Future
The fourth pillar is more focused on strategic cybersecurity goals—geared towards how Government can help to build a qualified pipeline of candidates to address the hundreds of thousands of unfilled cybersecurity vacancies in the US alone. Other significant initiatives include the development and standardization of a Digital Identity Ecosystem, increased investment in Federal R&D, and the need to drive adoption of a more secure Internet, through partnership with governmental and standards bodies worldwide.
- Forge International Partnerships to Pursue Shared Goals
Cyber attacks do not respect national borders, so any initiative needs to be globally focused. The final pillar in the new Cybersecurity strategy addresses this need. Leveraging existing bodies such as the United Nations and NATO, or working through bilateral cyber partnerships, such as those with the United Kingdom and Australia, this initiative looks to share experience and intelligence to understand and defeat attackers. A key part of this includes securing the global supply chain, both for 5G and next-gen wireless networks, but also to establish a more diverse supply of critical Internet building blocks, such as semiconductors.
What is the potential impact on your organizations exposure management strategy?
This new National Cybersecurity Strategy has lofty ambitions. We will have to see how this results in legislation, and what additional regulation will emerge to drive change in our organizations. Critical National Infrastructure (CNI) companies can certainly expect to see more specific, rigorous cyber regulation. The Strategy makes it clear that it will look to NIST and CISA for guidance in establishing these new regulations, so it could be useful to look at some of the recent Binding Operational Directives (BOD) that have been issued for Federal civilian agencies as the potential direction of travel.
What is clear is that this Strategy will increase the focus on how organizations address critical vulnerabilities, understand and manage their attack surface, and address software supply chain issues. Another interesting area of change is around security automation. The report states, “We must complement human-to-human collaboration efforts with machine-to-machine data sharing and security orchestration. Realizing this model will enable real-time, actionable and multi-directional sharing to drive threat response at machine speed.” For the industry to respond to the pace and scale of modern attacks, this embrace of automation is a requirement.
To learn more about how a modern approach to threat exposure management aligns with the new National Cybersecurity Strategy, check out our report with TAG Cyber: Transforming Attack Surface Management as a Keystone to Modern Security.