What the White House’s Cybersecurity Strategy Means for CISOs
Cybersecurity is a huge concern. Businesses and individuals stand to lose a lot of time and money in the event of an unauthorized exposure or corruption of sensitive data. And lately, these types of attacks have started impacting businesses that affect the entire population.
For example, the Colonial Pipeline ransomware attack in 2021 led to the shutdown of a crucial pipeline system that supplied about 45% of the east coast’s fuel. Operations didn’t resume until an unknown amount—likely in the millions of dollars—was paid to the attackers.
These types of incidents involving high-profile organizations are, unfortunately, all too common. The San Francisco 49ers were hit with a ransomware attack that exposed information about 21,000 people. And the Glenn County Office of Education in California experienced a ransomware attack that cost it $400,000.
These are just a few examples from a long list of ransomware attacks experienced by organizations that have access to ample resources which should have kept them safe.
This is why the Biden-Harris administration released its national cybersecurity strategy on March 2, 2023, which included a plan to address and minimize these threats.
As stated in the fact sheet, “Next-generation technologies are reaching maturity at an accelerating pace, creating new pathways for innovation while increasing digital interdependencies.”
An increased reliance on technology over the last few years has prompted many companies to pursue digital transformation. But this technological revolution has exacerbated the cybersecurity challenges faced by these companies.
So how does the White House’s cybersecurity strategy impact your digital transformation?
Heightened Responsibility Expectations
The White House’s cybersecurity strategy is split into five pillars. Pillar three is the most applicable to companies pursuing digital transformation. As stated in the strategy:
“We must hold the stewards of our data accountable for the protection of personal data; drive the development of more secure connected devices; and reshape laws that govern liability for data losses and harm caused by cybersecurity errors, software vulnerabilities, and other risks created by software and digital technologies.”
The reasoning for this is explained in section 3.1:
“When organizations that have data on individuals fail to act as responsible stewards for this data, they externalize the costs onto everyday Americans.”
The Experian hack of 2017 is a great example of the damage done to individuals as a result of a cybersecurity flaw. The company experienced a data breach and exposed the information of 147 million people.
The White House lays out several stipulations companies must address to keep protected data safe:
- Maintain secure IoT devices: New products connected to the internet will be subject to cybersecurity labels that outline the device’s default security settings.
- Shift liability of insecure software to providers: Responsibility will be placed on stakeholders who have the ability to impact the security of a product rather than users.
The White House also outlines the ways it will work to enforce these conditions:
- Use federal grants and other incentives to support security: The government will work with the private sector to balance cybersecurity requirements and technical assistance.
- Leverage federal procurement to improve accountability: Those who fail to provide adequate cybersecurity protections will be held accountable by government agencies.
- Explore a federal cyberinsurance backdrop: Should catastrophic events occur, the government will ensure the economy remains stable.
Support From Government Agencies
The government recognizes the role it must play in helping private companies avoid falling victim to a cyberattack. Many of these attacks are coming from nation-state groups. Disabling these threat actors is a major aspect of the White House’s cybersecurity strategy.
Along with that, the federal government aims to protect critical infrastructure, such as water, gas and electric utilities. This will necessitate the cooperation of public and private enterprises.
Investing in the future includes reducing systemic technological vulnerabilities, prioritizing the development of new cybersecurity protections and building a robust cybersecurity workforce.
The response to global cyberthreats needs to extend beyond American borders. The White House is placing emphasis on forging international partnerships to fight against threat groups. Working with allies to counter these vulnerabilities increases our likelihood of success.
Prospects Moving Forward
The cybersecurity considerations we implement today will impact our ability to remain secure as threats continue to evolve. The White House’s plan of action is robust and forward-thinking. And while new regulations and laws are hinted at throughout the text, they are not explicitly suggested at this time.
But as threats continue to target critical aspects of our economy, new rules and regulations are sure to follow. The best thing an organization can do is start preparing today.
Digital transformations often focus on addressing customer needs. The security of your network and sensitive data needs to be an essential aspect of properly mitigating threats.
Failing to incorporate data security considerations into every IT decision will leave you vulnerable in the short term and potentially culpable in the long term. A DevSecOps approach to application development, including automated security tools, should be implemented as soon as possible.
Technology shouldn’t move faster than our ability to protect it. The White House’s guidelines aim to put guardrails in place to ensure our systems remain secure against growing cyberthreats. Keeping these considerations in mind today will help your organization when new laws and regulations are put in place in the future.