On March 2, 2023, the Biden administration announced its National Cybersecurity Strategy. The administration’s stated goals for the strategy are “to secure the full benefits of a safe and secure digital ecosystem for all Americans.” Here we outline key points to help organizations navigate, manage, and prepare for the implications of the National Cybersecurity Strategy.
Overall Takeaways
Whether your organization is in the public or private sector, your cybersecurity program will feel the impact of the National Cybersecurity Strategy. The strategy document makes the following clear:
- Minimum cybersecurity requirements will cascade across industries.
- Technology is critical infrastructure.
- Protecting technology is a national security imperative.
- Private enterprises are a critical dependency for national security.
What follows is a short description of the five pillars described in the full National Cybersecurity Strategy document.
Pillar One: Defend Critical Infrastructure
In countries like the United States, private sector technology underpins vital services afforded to citizens. Up until now, the responsibility to protect that technology has been placed on private enterprise. This announcement by the Biden administration signals that the federal government intends to take a stronger stance to scrutinize and enforce that defense and, in some instances, support it.
Strategic Objective 1.1 — Establish Cybersecurity Requirements To Support National Security And Public Safety
Critical infrastructure presents a target-rich environment for nation-state and other malicious actors. Companies like oil, natural gas, aviation, and rail providers have established cybersecurity requirements — those will now expand to all critical infrastructure providers. The CISA (Cybersecurity and Infrastructure Security Agency) lists key critical infrastructure providers, but no doubt the scope of these regulations will expand as the government recognizes the broad reach of cyberattacks that affect national security.
Strategic Objective 1.2 — Scale Public-Private Collaboration
The administration is introducing more robust collaboration between the CISA, sector risk management agencies (SRMAs), and private sector organizations to increase collaboration and improve partnership at scale — using yet-to-be-defined technologies. This is likely going to be a partnership of threat intelligence sharing, which is described in more depth in Pillar Two.
Strategic Objective 1.3 — Integrate Federal Cybersecurity Centers
Building on the Cyberspace Solarium Commission’s proposal for an integrated public-private cyber center in the CISA, the administration will fuse cyber defense planning and operations across the government with private sector and international partners. In practice, this means that the executive branch will continue to augment the CISA’s role as national coordinator for critical infrastructure with the FBI’s law enforcement arm and with the intelligence community’s cyber intelligence collection and analysis capabilities.
Strategic Objective 1.4 — Update Federal Incident Plans And Processes
Large private sector organizations have comprehensive incident response plans and playbooks that detail to the letter who within the incident response ecosystem should be contacted and when — with the exception of law enforcement. The number of agencies (and their respective outposts or field offices) that either offer themselves as contacts or expect to be contacted during a major breach or attack is confusing to security leaders. This objective streamlines the notification and escalation process to ensure information sharing and ownership of response actions for those incidents, such as those on critical infrastructure, that require a federal response.
Strategic Objective 1.5 — Modernize Federal Defenses
It’s no surprise that Zero Trust (ZT) continues to be a driver for federal cybersecurity. Federal civilian agencies, and, more recently, the Department of Defense have been issuing executive orders and Office of Management and Budget memorandums describing the steps, and associated timelines, for implementing ZT within federal systems. Data security is at the forefront of the charge, and for good reason, as data is at the center of ZT and must be secured beyond due diligence. Renewed emphasis has been placed on operational technology systems and networks, as they have historically tended to be left by the wayside from a networking and security perspective. Forrester believes that the commercial ZT adoption landscape will be changed as organizations not only recognize the benefits of ZT but also see it as becoming a cost of doing business with the US federal government.
Pillar Two: Disrupt And Dismantle Threat Actors
Cyberattacks are currently out of the control of the federal government. This pillar’s goal is to level the playing field by making attacks more costly for the attackers, improve collaboration between the private sector and the public sector, and expand breach notification requirements.
Strategic Objective 2.1 — Integrate Federal Disruption Activities
The administration’s goal is to make cyberattacks so costly that they are no longer profitable nor a viable means of achieving nation-state ends via disruption campaigns. Some security tools take this approach currently, such as using bot management tools to raise costs of bot attacks. This will likely be a broader effort of combined technology disruption, however, plus ZT implementation to harden infrastructure.
Strategic Objective 2.2 — Enhance Public-Private Operational Collaboration To Disrupt Adversaries
The federal government admits that the private sector has more knowledge of threat actors than it can collect on its own. Because of this, it is enhancing collaboration through The National Cyber-Forensics and Training Alliance, among other nonprofits. If done well, this coordination will improve shared threat intelligence capabilities across the public and private sector. The delivery and quality of that threat intelligence remains to be seen, however.
Strategic Objective 2.3 — Increase The Speed And Scale Of Intelligence Sharing And Victim Notification
Breach notification is much more than a regulatory requirement. How organizations respond and communicate to stakeholders about data breaches and other disruptive events such as ransomware sets the tone for recovery.
Strategic Objective 2.4 — Prevent Abuse of US-Based Infrastructure
Infrastructure-as-a-service (IaaS) providers will be held to a higher standard in terms of the speed at which they must respond to and alert on cyberattacks. IaaS providers are effectively considered critical infrastructure now.
Strategic Objective 2.5 — Counter Cybercrime, Defeat Ransomware
The administration is taking a four-pronged approach to cybercrime and ransomware defense:
- International cooperation
- Law enforcement investigations of ransomware actors
- Critical infrastructure resiliency
- Addressing abuse of virtual currency
Importantly, the administration does not explicitly state that ransomware payments will be scrutinized or banned — while they heavily discourage them. Ultimately, the strategy promotes reporting ransomware incidents to law enforcement.
Pillar Three: Shape Market Forces To Drive Security And Resilience
This pillar emphasizes accountability and incentives: financial sticks and carrots to build security and resilience into the US technology ecosystem.
Strategic Objective 3.1 — Hold The Stewards Of Our Data Accountable
Organizations that collect, use, transfer, and maintain personal data have a responsibility for securing that data and protecting individuals’ privacy rights. This responsibility is much more than a regulatory obligation. It is a foundation for building trust and competitive differentiation in a digital world.
Strategic Objective 3.2 — Drive The Development Of Secure IoT Devices
Internet-of-things (IoT) devices are used in organizations of all sizes, locations, and industries to perform a variety of tasks. Because of a history of poor cybersecurity practices in development and deployment, IoT devices have become a prime target of attacks. Changing this requires that new devices be built securely by default and adopting networking and device security practices that limit who — or what — can talk to these devices inside and outside of the organization.
Strategic Objective 3.3 — Shift Liability For Insecure Software Products And Services
Companies are in for a rude awakening, as the strategy makes them liable for security flaws in their products and services. With this shift, securing what you sell becomes not just a strategic objective for top-line CISOs to enable the business but also a defensive measure to protect the business. Companies are also responsible for any open source and third-party dependencies assembled, packaged, and utilized by the product. Incorporating a software composition analysis (SCA) tool in the software development lifecycle provides visibility into the risks of third-party libraries; the SCA tool will generate a software bill of materials that can be used as evidence of secure software development practices.
Strategic Objective 3.4 — Use Federal Grants And Other Incentives To Build In Security
With the government offering financial support to build security in, now is the right time to gauge the maturity of your product security program and develop a roadmap for improving product security at every stage of the product lifecycle. For new products and prototypes, follow the principles of minimum viable security to make sure that security is right-sized even at the earliest stages.
Strategic Objective 3.5 — Leverage Federal Procurement To Improve Accountability
As the administration works to establish liability for software products and services, it’s also using contracting requirements to hold companies accountable. “Plausible deniability” isn’t a valid legal strategy — if a company makes a contractual commitment to the government, it is accountable for following cybersecurity best practices. Knowingly providing defective products, misrepresenting security practices, or failing to monitor and report cyber incidents could result in the Department of Justice filing civil actions under the False Claims Act.
Strategic Objective 3.6 — Explore A Federal Cyber Insurance Backstop
Cyber insurance is one component of a multilayered cybersecurity and risk management strategy. Today’s environment of systemic risks stemming from global events, geopolitical threats, and third-party risk events has a cascading impact on and across organizations — and the cyber insurance market. The call for a federal response to support the existing cyber insurance market is welcomed. This kind of subsidization, however, could be costly to the government, much like individual flood insurance. If exploration moves to enactment, reforms will likely be needed in the future. Meanwhile, organizations must address the current reality of cyber insurance market dynamics and increasingly stringent requirements for obtaining cyber insurance policies.
Pillar Four: Invest In A Resilient Future
Every strategy requires looking ahead into the future and planning for disruption. This strategy is no exception. The document makes clear the need to invest in, develop, and secure the internet, develop and safeguard cybersecurity intellectual property, and cultivate practitioner skills.
Strategic Objective 4.1 — Secure The Technical Foundation Of The Internet
The US’s governmental focus on vulnerable infrastructure is not a new idea; it is frequently overlooked, however, while planning for innovative technology adoption strategies. The US government’s proactive alignment with industry leaders, academia, and allied nations will foster global standards of interoperability, thereby increasing adoption rates while working toward global security standards.
Strategic Objective 4.2 — Reinvigorate Federal Research And Development For Cybersecurity
Much cybersecurity innovation has been driven by the investment community, focusing on solutions to solve individual cyber problems. This pillar is forward-looking and aims to drive investment in the security of “computing-related technologies, including microelectronics, quantum information systems, and artificial intelligence; biotechnologies and biomanufacturing; and clean energy technologies.” We expect this strategy to initiate even more cybersecurity innovation than we already have in the US — focused on these strategic areas — as the federal government encourages technology builders to improve cybersecurity.
Strategic Objective 4.3 — Prepare For Our Post-Quantum Future
In recent months, the US government has pushed its agencies to plan for the transition to post-quantum cryptography. Now, it is also pushing the private sector to invest in that same migration. This will require major efforts in: 1) data discovery; 2) encryption discovery; and 3) data protection rearchitecture for cryptographic agility. Organizations should prepare for the risks to traditional cryptography and the move to post-quantum.
Strategic Objective 4.4 — Secure Our Clean Energy Future
Last year, the Biden administration passed the Inflation Reduction Act that came with $369 billion for greenhouse gas emissions reduction and climate risk adaptation through tax incentives and directed investment in clean energy projects, including domestic manufacturing of clean energy technology. Creating a national clean energy infrastructure relies on cloud-based technologies and devices that adversaries will try to exploit. This section calls for a “security by design” approach to clean energy technology described in the Department of Energy’s National Cyber-Informed Engineering Strategy, whereby cybersecurity controls are embedded early in the design lifecycle of engineered systems to reduce cyber risks and vulnerabilities, rather than being added after manufacturing.
Strategic Objective 4.5 — Support Development Of A Digital Identity Ecosystem
The emphasis on establishing a digital identity ecosystem will accelerate innovation around solutions for phishing-resistant authentication (as emphasized in the 2022 memo, M-22-09: Moving The US Government Toward Zero Trust Cybersecurity Principles). The most profound impact of this strategic objective, however, will be on enabling trusted digital identities. The concept of trusted digital identity is simple: It’s the high degree of confidence that an organization, person, device, and machine are who or what they represent themselves to be. While the definition is simple, creating trusted digital identities and the trust ecosystem around them is not.
Strategic Objective 4.6 — Develop A National Strategy To Strengthen Our Cyber Workforce
The nation faces a severe and chronic staffing shortage for cybersecurity talent, threatening to burn out those in security roles and leaving firms — and government agencies — vulnerable to attack. This shortage, however, is largely self-inflicted, owing mostly to rigid hiring practices and a lack of new talent entering the cybersecurity career pipeline. The implementation of the National Cybersecurity Strategy doubles down on the work that the Biden administration has already done to encourage and enable cybersecurity apprenticeships and other training and education programs to increase diversity and address unique challenges faced by critical infrastructure providers and government agencies.
Pillar Five: Forge International Partnerships To Pursue Shared Goals
Pillar Five breaks down the international relationships and norms that the US government has in place and hopes to establish for broader impact on its cybersecurity initiatives. Ultimately, the world must move toward a more unified understanding of, response to, and constraints around how cyberattacks are used for nation-state ends. Each strategic objective outlines a piece of this work.
Strategic Objective 5.1 — Build Coalitions To Counter Threats To Our Digital Ecosystem
The administration is establishing a set of shared goals for cyberspace, with existing partnerships in the United Nations, the Quadrilateral Security Dialogue, and others. This will hopefully improve the collaboration and shared threat intelligence between nations, increasing visibility into threat actor activity.
Strategic Objective 5.2 — Strengthen International Partner Capacity
The federal government and the Department of State are enhancing military-to-military partnerships with other allied nations.
Strategic Objective 5.3 — Expand US Ability To Assist Allies And Partners
The US recognizes the toll that recent cyberattacks against countries have taken and intends to enhance this partnership with groups such as NATO to build an incident support capability with allies.
Strategic Objective 5.4 — Build Coalitions To Reinforce Global Norms Of Responsible State Behavior
Cybersecurity norms have yet to be established and upheld by all nations. The UN has some established norms for peacetime, but many nations fail to comply, and as of yet, there are no consequences for it. This establishes an intent to not only expand those norms to more nations but also to enforce them.
Strategic Objective 5.5 — Secure Global Supply Chains For Information, Communications, And Operational Technology Products And Services
Forrester data shows that 33% of cyberattacks were caused by a supply chain or third-party breach. The administration takes a multipronged approach to combat national dependence on a “growing network of foreign suppliers” for products and services that introduce “systemic risk to our digital ecosystem.” This is a long-term strategy, not a short-term fix, and calls for public/private sector collaboration, reshoring manufacturing of critical components and systems, and prioritizing resilience and supply chain security.
This post was written by VP, Principal Analyst Jeff Pollard and it originally appeared here.
