President Joe Biden laid out his plans to secure the future of America’s digital ecosystem in the latest US National Cybersecurity Strategy, released Thursday by the White House. Cybernews got the inside scoop on what it all means going forward from several known security experts.
The 35-page agenda aims to “better secure cyberspace and ensure the US is [in] the strongest possible position to realize all the benefits and potential of out digital future,” Biden wrote in the strategy’s forward introduction.
Fundamental shifts in how the US allocates roles, responsibilities, and resources in cyberspace is the driving force behind the new strategy, the White House stated.
The strategy states its ultimate goal is to make US cyberspace defensible and resilient, while staying aligned to the nation's core values.
The much anticipated strategy “is a meaningful leap in a positive direction towards minimizing digital risks for all Americans,” said James Foster, CEO at ZeroFox, a tech security firm based in Washington DC.
“It’s a strong foundation for growth of the cybersecurity industry, which has been thrust into the forefront of conversations about keeping our nation secure as the definition of security has expanded to include the physical and digital world,” Foster said.
Awareness of emerging trends, building upon existing policies, and favoring long-term investments are just some of the administration's overarching themes.
To reimage US cyberspace, the strategy approaches this task by outlining five basic pillars that will lead to strengthening infrastructure within the country's borders and connections with overseas allies.
Overall, the strategy is designed to rebalance the responsibility of cybersecurity so it is spread evenly between the government, private and public sectors, instead of leaning heavily on small companies and individuals.
“The White House’s new national cybersecurity policy provides a base for all of us to evolve security best practices and improve cyber resilience even more, said Bryan Patton, Principal Solutions Consultant at Quest Software.
"I'm pleased to see that collaboration between the public and private sectors, from developing software that is secure by design, to investing in the cybersecurity talent pipeline, to creating a federal backstop for cyber insurance, is a top priority, said Patton.
Pillar 1: Defend Critical Infrastructure
The first pillar – Defend Critical Infrastructure – is essential to national security, according to the administration.
The Biden Plan would help develop and implement regulations across different critical infrastructure sectors, promote private and public partnerships and reinforce already established best practices.
“A national cyber strategy is overdue and it’s very welcome to see White House leadership talking about cybersecurity as a fundamental risk to freedom and order in the world this century,” said Kevin Bocek, vice president at identity management firm Venafi.
Additionally, the plan will create new collaborations aimed at protecting and securing the nation's critical infrastructure by building innovative security capabilities, improving coordinated incident response, and creating new federal cybersecurity centers across the nation.
Part of this goal would be to prioritize the modernization of federal network systems.
Pillar 2: Disrupt and Dismantle Threat Actors
The second pillar – Disrupt and Dismantle Threat Actors – is “an essential part of a well-rounded overall cyber strategy,” said Foster.
“As modern threat actors scale their attack campaigns and become sophisticated enough to dance around traditional defensive security, chasing down detected threats can feel like running in circles,” Foster said.
“All it takes is one tiny misstep for a cybercriminal to take advantage, he added.
The strategy would utilize all avenues; diplomatic, military, financial, intelligence, and law enforcement capabilities, and again promote federal and non-federal cooperation to protect both public and national security.
“Prioritizing disruption of threat actors shifts our strategy from reactive to proactive, a subtle yet important change to how Americans view cybersecurity overall,” Foster said.
Citing cybercrime and ransomware as the nation’s main targets, the objective would combine resources, new techniques, and develop fast tracks to support instantaneous information sharing about threats and victims among all sectors, national and global.
On the other hand, even with the backing of federal resources, Bocek stated, “We can’t fool ourselves. It’s still the role of businesses to protect themselves and their customers.”
”This can’t be offloaded and ultimately, there is no defense force or police that will save businesses from cyber-attacks. This is a reality that the leaders in government must understand,” Bocek said.
Pillar 3: Shape Market Forces to Drive Security and Resilience
The third pillar – Shape Market Forces to Drive Security and Resilience – will not only promote data privacy for individuals but push corporations to take responsibility for developing secure software, products, and services, including secure IoT devices.
Peter McKay, CEO of Snyk, said this "rallying cry" for developer security is something that should be addressed by companies before rules and penalties are put in place.
“Snyk has seen numerous organizations that are embedding secure software best practices in their development cycles from the start or the initial line of code. They are doing this by empowering their own developers to create secure applications in a seamless and responsible way," McKay said.
"By integrating and automating secure software development practices into their workflows, they are deploying ways to find, fix, and remediate vulnerabilities in both pre-production and production applications, and as a result, bringing developers, IT, and security teams together as one team," said McKay.
But some security experts think it's all a bit redundant. Strategic Security Solutions (S3) CTO Paul Kohler believes the strategy will have a limited impact on the industry.
“The fact of the matter is the overwhelming percentage of breaches today are linked to a human element,” Kohler said.
“These can be lost credentials, misconfiguration, failure to follow process. They are not directly linked to product defects. As an organization or as an individual, I cannot outsource my risk to another entity. Reputable technology companies were already taking reasonable measures to secure their products and services,” said Kohler.
Bocek agrees the changes will not just happen because of the new directive.
“Building in security, such as securing the identity of customers or machines, is our only path to success and the future,” said Bocek.
"Engineers ultimately decide the success or failure of not just their own businesses but others as well," Bocek added. "The good news is that leading businesses have recognized this need already."
Part of this initiative also includes creating a federal insurance backstop to help stabilize the economy if a catastrophic event were to occur.
Pillar 4: Invest in a Resilient Future
The fourth pillar – Invest in a Resilient Future – will strive to incentivize long-term investments to reduce systemic technical vulnerabilities, bolster security resilience, and foster a robust cyber workforce.
All by prioritizing cybersecurity research and development for next-generation technologies such as post-quantum encryption, digital identity solutions, and clean energy infrastructure, as stated in the strategy.
Kaniah Konkoly-Thege, chief legal counsel for Quantinuum, the world's largest quantum computing firm, said the “strategy comes on the heels of the recent quantum legislation signed by President Biden in December."
This legislation “is designed to help federal agencies proactively shift to a post-quantum security posture, prioritizing the adoption of post-quantum cryptography standards across the government,” said Konkoly-Thege.
The chief counsel said the new National Cybersecurity Strategy will support the changes and help federal agencies be “hardened against cyberattacks from future generations of more powerful quantum computers.”
“The new landscape of quantum-related announcements and requirements from the federal government also creates urgency for many vendors and government contractors because those who are non-compliant will be named in reports and likely suffer reputational and economic consequences,” Konkoly-Thege said.
Federal agencies have until May 4, 2023, to submit an inventory of potentially vulnerable systems to the US Office of Management and Budget, the Chief counsel noted.
“While the guidance does not go in-depth regarding steps to prepare for a post-quantum future, NIST is currently in the process of standardizing these algorithms with final standards due to be released in 2024," said Konkoly-Thege.
Pillar 5: Forge International Partnerships to Pursue Shared Goals
Finally, the fifth pillar – Forge International Partnerships to Pursue Shared Goals – will focus on strengthening ties with US allies, developing parameters to define normal cyber conduct on a global scale, and establishing ways to hold other nation-states accountable for irresponsible behavior.
Not a small task between China, Russia and other repressive regimes, who freely harbor and support organized cybercriminal activity, as well as openly suppressing freedom of speech and other basic human rights.
US values defined in the strategy include “economic security and prosperity; respect for human rights and fundamental freedoms; trust in our democracy and democratic institutions; and an equitable and diverse society,” according to the White House.
This last pillar seeks to expand digital connectivity across the globe – helping to forge the path for free and open internet access, reliable and secure, for all unserved areas and oppressed populations worldwide.