National Cybersecurity Strategy
“National Cybersecurity Strategy”
is a document issued from the White House
by the Biden-Harris Administration
earlier this month.
In this document,
they state that through a new strategy
—with the same name—
there will be substantial changes,
starting in the United States,
concerning cyberspace and its use.
Changes that will reflect its values,
such as public safety and economic prosperity,
respect for human rights,
and trust in democracy.
As the fact sheet declares,
this strategy comes in addition
to previous and concurrent plans and efforts,
such as the National Security Strategy,
the National Defense Strategy,
the Executive Order 14028,
the National Security Memorandum 5, M-22-09,
and the National Security Memorandum 10.
This strategy and other projects attest to the fact
that the U.S. recognizes that
cybersecurity is essential to its economy,
democracy, information privacy, and national defense.
In cooperation with the private sector,
President Biden’s Administration has worked
to strengthen the country’s cybersecurity and,
together with international allies and partners,
aims to improve collective prevention,
defense, and response to cyber threats from around the world
that run counter to shared interests.
Implementing the National Cybersecurity Strategy will require efforts,
collaboration, and investments by the U.S. government,
international allies, partners, civil society,
and the private sector.
Throughout implementation,
the Federal Government will collect and monitor data related to investments,
progress, results, and effectiveness of efforts.
Furthermore,
it will prioritize applying lessons learned from previous cyber incidents
and seek to keep up with the constant and accelerating changes
within the cyber ecosystem.
Let’s look at the issues this strategy aims to address
and the pillars on which it is based.
What are the problems to be addressed with this strategy?
The cyber environment continues to expand and complexify
at an accelerated pace.
Not only in structural and interconnection matters,
for the good of companies and consumers,
but also in terms of cyber risks and threats.
Every day,
criminal groups,
including those backed by governments of autocratic nations,
dissenting from the interests and norms of the U.S. and allied countries,
target organizations and users worldwide.
They seek to exploit both vulnerabilities in computer systems
and in the people who operate them.
They mainly aim to achieve the theft of sensitive information
or monetary assets
and the disruption of operations or services.
As interdependencies in the digital ecosystem increase,
cyberattacks on a few spread rapidly,
affecting many as a consequence.
As the amount of sensitive information stored within cyberspace grows,
more people are at risk.
These are common problems today in the field of cybersecurity.
This strategy seeks to address them
with a more outstanding and larger-scale commitment,
aiming for positive changes to strengthen the defense,
resilience, and national values
such as safety, democracy, and economic prosperity.
What is this new strategy based on?
The National Cybersecurity Strategy hinges on five pillars that,
for their part,
depend on two fundamental changes.
The first change is referred to as
“rebalance the responsibility to defend cyberspace.”
What they seek in the Administration is to shift the cybersecurity burden
falling on individuals, small businesses, local governments
and other groups with limited resources
to those organizations better positioned
and capable of reducing the risk exposure of all stakeholders
within this shared digital ecosystem.
The second change is “realign incentives to favor long-term investments.”
The goal here is for stakeholders in their cybersecurity
to achieve a balance between short- and long-term obligations.
Public programs and market forces can contribute
by rewarding early adoption of security and resilience,
coordinating investments in cybersecurity,
and promoting a collaborative approach to a better future.
The five pillars of this strategy are the following:
1. “Defend critical infrastructure”
From this pillar,
the ideal is to instill confidence in citizens
in the availability and security of critical infrastructure
and its services.
Unfortunately,
the rewards the market grants to companies
that own and operate such infrastructure
and voluntarily implement cybersecurity risk prevention
and mitigation strategies
are insufficient.
Likewise,
there has been a lack of mandatory requirements
that encourage the implementation of preventive measures,
so the Administration is focusing on establishing them
and expanding the use of at least
(but encouraging going beyond)
minimum requirements for cybersecurity practices and outcomes
in critical sectors.
In addition,
in all sectors,
the Administration seeks to modernize regulatory frameworks
(basing them on existing standards and guidelines),
better adapt them to each sector’s changing risks and threats,
and harmonize them to avoid duplication
and streamline their implementation.
In line with what Fluid Attacks usually shares,
they state:
“The most effective and efficient regulatory frameworks
will be those put in place well before a crisis,
rather than through the imposition of emergency regulations
after a crisis occurs.”
Here,
the Administration emphasizes enabling and fostering collaboration
between public and private organizations
to defend critical infrastructure and its essential services
and prevent their disruption.
It also highlights the model to follow
that the Federal Government can represent
and the support it can provide to the defense of critical infrastructure
by modernizing the security of its own networks and systems
(under the principle of zero trust)
and improving its incident response policies.
When sectors of the critical infrastructure request support
from the Federal Government,
it should coordinate authorities and efforts
for a unified response
backed by predefined support possibilities and guidelines.
2. “Disrupt and dismantle threat actors”
Part of the purpose of this pillar is to make it impossible for cybercriminals
to mount or maintain campaigns
that threaten the security of the U.S.
Already,
the Federal Government has improved its capabilities
to respond to cybersecurity incidents;
it has arrested, prosecuted, and sanctioned transnational threat actors,
and recovered enormous amounts of money from illicit activities.
Based on these and other successes,
again highlighting the need
for continued and coordinated cross-sector collaboration,
it intends to persist in enhancing its strategies
to thwart campaigns before they impact,
render them non-profitable,
and dismantle cybercriminal groups.
The Administration intends to encourage support
from the private sector,
mainly since this sector has achieved a very broad understanding
of criminal activity
with its threat-hunting operations
and its accelerated optimization of capabilities and technologies.
The Federal Government also seeks to increase
the speed and scale of threat intelligence transmission
to provide early warning to potential or actual victims and defender teams.
In addition,
with a specific focus on ransomware attacks,
the U.S. aims to investigate this type of crime further,
leverage international authority and cooperation
to disrupt the operations of perpetrator groups,
strengthen the resilience of its critical infrastructure
to withstand these attacks,
and improve law enforcement against illicit cryptocurrency exchanges.
3. “Shape market forces to drive security and resilience”
According to the Administration,
cyberattacks’ severe and ongoing impacts
on sensitive information and industrial operations
“make clear that market forces alone have not been enough
to drive broad adoption of best practices in cybersecurity and resilience.”
Many organizations do not invest enough in cybersecurity
and end up affecting,
for instance,
small businesses that rely on them to some extent.
In this case,
the U.S. aims to change the situation
through the reformulation of laws
that regulate the responsibilities of those
who collect and manage personal data
and those who,
due to errors in the development of technology and lack of protection,
allow losses or damages that fall on citizens.
Many providers continue to ignore secure development or coding,
as well as security testing,
and introduce vulnerable products or services into cyberspace,
and,
because of their position in the market,
they manage to abdicate their liabilities by contract.
The Administration intends to start shifting these responsibilities to them,
especially to the most qualified ones,
and to establish higher security standards for high-risk scenarios.
The Federal Government will use purchasing power and grant-making
to incentivize the adoption of cybersecurity best practices.
The idea is to invest in new infrastructures
that are secure and resilient by design
and to maintain them that way throughout their lifecycle.
Moreover,
the Administration will encourage coordinated disclosure of vulnerabilities
in all technologies
and further development of SBOMs.
It will also develop processes to identify and mitigate risks
in unsupported software used in critical infrastructure.
Finally,
it seeks to prioritize funding
for research and development in cybersecurity technologies,
especially those to strengthen critical infrastructure.
4. “Invest in a resilient future”
On the one hand,
the Administration recognizes the vulnerabilities
in the fundamental structure of the Internet
and those that arise when something new is built on top of it.
In response,
it will rely on investment and collaborative action
to develop and implement security solutions in its networks
and reduce such vulnerabilities on the Internet.
On the other hand,
it emphasizes prioritizing research,
development, and demonstration (RD&D) in cybersecurity
for new-generation technologies
such as quantum information systems,
biotechnology, and clean energy infrastructure.
The idea is to invest in RD&D projects
to advance cybersecurity in areas such as encryption
(see, for example, post-quantum cryptography),
artificial intelligence,
cloud infrastructure,
operational technologies,
telecommunications, and data analytics.
Additionally,
in this pillar,
the Administration acknowledges the shortage
of specialized cybersecurity personnel
within and outside the nation.
As a response to this,
it seeks to contribute investment
to enable greater access to education in this field
and expand, diversify, and maintain a strong workforce.
5. “Forge international partnerships to pursue shared goals”
The Administration aims to build a coalition with other countries
“to maintain an open, free, global, interoperable,
reliable, and secure Internet.”
Ideally,
through international collaboration,
it will address common threats,
punish and disrupt transnational criminal groups,
protect against repression by them,
help improve the capacity of coalition members,
strengthen and defend globally accepted norms,
and build an increasingly secure and resilient ecosystem.
The U.S. and its allies will be able to “advance common cybersecurity interests
by sharing cyber threat information,
exchanging model cybersecurity practices,
comparing sector-specific expertise,
driving secure-by-design principles,
and coordinating policy and incident response activities.”
Finally,
other aspects of this last pillar include the U.S. interest
in working collaboratively
to generate new international law enforcement mechanisms,
create secure, transparent, and reliable global supply chains
for different technology products and services,
and support investigations, response, and recovery of allies
affected by incidents.
Is your company,
inside or outside the United States,
interested in improving and preserving a preventive cybersecurity posture?
Contact us,
and with our continuous manual and automated security testing,
we’ll help you get there!
*** This is a Security Bloggers Network syndicated blog from Fluid Attacks RSS Feed authored by Felipe Ruiz. Read the original post at: https://fluidattacks.com/blog/national-cybersecurity-strategy/