First, here are some of the highlights from the White House fact sheet on the new National Cybersecurity Strategy:
- We must rebalance the responsibility to defend cyberspace by shifting the burden for cybersecurity away from individuals, small businesses and local governments, and onto the organizations that are most capable and best-positioned to reduce risks for all of us.
- We must realign incentives to favor long-term investments by striking a careful balance between defending ourselves against urgent threats today and simultaneously strategically planning for and investing in a resilient future.
INTRODUCTION
PILLAR ONE | DEFEND CRITICAL INFRASTRUCTURE
PILLAR TWO | DISRUPT AND DISMANTLE THREAT ACTORS
PILLAR THREE | SHAPE MARKET FORCES TO DRIVE SECURITY AND RESILIENCE
PILLAR FOUR | INVEST IN A RESILIENT FUTURE
PILLAR FIVE | FORGE INTERNATIONAL PARTNERSHIPS TO PURSUE SHARED GOALS IMPLEMENTATION
The Center for Strategic and International Studies (CSIS) released this online discussion this week on the strategy with remarks from Acting National Cyber Director Kemba Walden and Deputy National Security Adviser for Cyber and Emerging Technologies Anne Neuberger.
MEDIA COVERAGE
Coverage of the new National Cybersecurity Strategy has been widespread and varied. Here’s a roundup from some of the top perspectives:
Excerpt: “The White House on Thursday released an ambitious national cybersecurity strategy that calls for new federal regulation of vulnerable critical infrastructure firms and for software makers to be held liable when their products leave gaping holes for hackers to exploit.
“The strategy — shaped by major hacking incidents that threatened key public services in the first year of the Biden administration — embraces the U.S. government’s regulatory and purchasing power to force companies that are critical to economic and national security to raise their cyber defenses.
“It reflects a widely held belief in the U.S. government that market forces have failed to keep the nation safe from cyber criminals and an array of foreign governments such as Russia and China.”
Wall Street Journal: How the U.S. National Cyber Strategy Reaches Beyond Government Agencies
Excerpt: “Overseen in part by former National Cyber Director Chris Inglis, who retired in February, the 35-page document contains recommendations on a broad swath of cyber policy, from international collaboration on tackling cyber crime to securing Internet-connected devices.
“The new strategy replaces a document issued in 2018 by the Trump administration.
“Some elements of the strategy, including that the federal government should assess the need for a government backstop for cyber insurers, are speculative. Others specify direct action, such as plans for regulations in critical infrastructure sectors such as health care, financial services and water that define minimum cybersecurity standards.
“'The president’s strategy fundamentally reimagines America’s cyber-social contract,' said Kemba Walden, the acting national cyber director, during a call with reporters Wednesday. ‘It will rebalance the responsibility for managing cyber risk onto those who are most able to bear it,’ she said.”
The Record: White House pushes for mandatory regulations, more offensive cyber action under National Cyber Strategy
Excerpt: “The plan touts many of the cybersecurity regulations already handed down for oil and natural gas pipelines, aviation, rail and water systems. But it notes that more will be needed and the White House plans to work with Congress to fill 'gaps in statutory authorities to implement minimum cybersecurity requirements or mitigate related market failures.'
“Senior administration officials were tight-lipped about which industries would require congressional action to regulate or what sectors would be next to receive mandatory regulations. But they mentioned that the Environmental Protection Agency will begin enforcing new cybersecurity rules on water facilities in the coming months.
“In addition to the Cybersecurity and Infrastructure Security Agency (CISA) leading the way on a new National Cyber Incident Response Plan and incident reporting rules, the strategy made clear that the federal government needs to do a better job of outlining how private-sector partners can reach federal agencies for support during cyber incidents and what forms of support the federal government may provide.
“The plan also focuses heavily on the need for U.S. agencies to go on the offensive against cyber threat actors, both through more forceful means and through methods currently in use like sanctions and court action.”
HealthITSecurity: How The New National Cybersecurity Strategy Will Impact Healthcare Cybersecurity
Excerpt: “'The health-care sector is implicitly included in the strategy’s discussion of critical infrastructure, and will be affected by three specific elements as well as the federal government’s efforts to disrupt criminal infrastructure,'” Mike Hamilton, CISO of Critical Insight, told HealthITSecurity.
“'First, the regulatory requirements will grow, likely with enhanced focus on third-party risk management. Because of the increasing trend to compromise health-care entities through business associates, assessing and monitoring third-party security controls will be an additional regulatory task.'
"In fact, a key focus area of the document is vendor accountability. The administration expressed support for shifting cybersecurity liability, noting that it should fall on both 'the owners and operators of the systems that hold our data and make our society function,' and the technology providers that these owners and operators rely on.
“'Second, the initiative to work with vendors to ensure the security of IoT devices — including medical IoT — will serve to take the burden off health care to secure products post-implementation,' Hamilton continued."
Axios: Biden administration releases national cybersecurity strategy
Excerpt: “The strategy also declares ransomware a ‘threat to national security, public safety and economic prosperity,’ opening a door to dedicating more intelligence community resources to fighting the problem.
- Cybersecurity requirements will continue to be baked into federal grant programs and the procurement process as an incentive for companies to improve their cybersecurity. ...
"Between the lines: Much of the national cybersecurity strategy builds on existing work already being done throughout the Biden administration, such as cracking down on ransomware gangs and reviewing what regulations are in place for critical infrastructure sectors.
- 'A lot of the work we've done on critical infrastructure is already underway,' Anne Neuberger, deputy national security adviser for cyber and emerging tech, told reporters. 'The strategy codifies the first two years of putting in minimum cybersecurity requirements for pipelines, for railways, and shortly for additional sectors we'll be announcing.'
"Yes, but: A senior administration official told reporters the administration sees the strategy as a long-term, 10-year plan, rather than something that can be implemented overnight.
- Legislation to make software makers liable for data security issues would need to pass Congress and require input from the private sector, for example.”
FINAL THOUGHTS
I posted the WSJ article on LinkedIn last week, and I found the comments to be very interesting. You can see that dialog here. Also, see the comments on my former Michigan government colleague Ric Tombelli’s LinkedIn post. (Yes, they are all over the map.)
Expect much more to be written and debated regarding this new National Cybersecurity Strategy over the coming year, as the details, implications and action plans come into a clearer focus.
Nevertheless, I think this long-anticipated strategy is an excellent next step for the White House and CISA. I am frankly surprised that this has taken as long as it has to be released by the Biden administration; the previous Trump administration cyber strategy came out in 2018.
The strategy accelerates existing trends around more regulation and compliance and brings in new twists in vendor accountability and cyber insurance perspectives that will take years to play out.
I highly recommend cyber pros read the full plan, watch the YouTube video discussion in this blog, and work with their teams to discuss how this impacts their industry and organization.