The White House released its long-anticipated National Cybersecurity Strategy, a comprehensive document that offers fundamental changes in how the US allocates "roles, responsibilities, and resources in cyberspace."
The strategy involved months of discussions among more than 20 government agencies and countless consultations with private sector organisations.
It encompasses virtually all the weaknesses and challenges inherent in cybersecurity, from software vulnerabilities to internet infrastructure vulnerabilities to workforce shortages.
Chief among the changes proposed in the strategy is a new effort to "rebalance" the responsibility for cyber risk by requiring software providers to assume greater responsibility for the security of their products.
The strategy also expands minimum mandatory cybersecurity requirements for critical sectors. It also creates a more comprehensive, coordinated approach to bolster US Cyber Command's ability to engage in offensive operations, building on the defend-forward policy that began during the previous administration.
The strategy is just the latest effort in a series of actions taken by the Biden-Harris administration to tackle the increasing number of cybersecurity threats and position the US to better defend itself against cyber adversaries.
"The strategy builds on two years of unprecedented attention that the president has placed on cyber issues," Kemba Walden, acting national cyber director, said during an event at CSIS.
"The May 2021 executive order set the tone committing the government to significantly enhancing our defenses and using our purchasing power to drive improvements into the broader ecosystem."
Deputy National Security Advisor for Cyber and Emerging Technology Anne Neuberger said at the same event, "You've seen the Biden-Harris administration look at emerging technology areas with a careful eye to security.
The fundamental principle of the strategy says we need an open, secure, and interoperable cyberspace. It's possible to do it. We'll do it with our partners in the private sector and countries around the world."
Defend critical infrastructure
The strategy relies on five "pillars" around which the strategy is organised. The first pillar in the strategy is to increase security by stepping up regulation of critical infrastructure.
“The lack of mandatory requirements has resulted in inadequate and inconsistent outcomes," the strategy states. "Today's marketplace insufficiently rewards—and often disadvantages—the owners and operators of critical infrastructure who invest in proactive measures to prevent or mitigate the effects of cyber incidents."
To establish better defenses, the federal government will use existing legal authorities to set performance-based and cybersecurity requirements for critical infrastructure organisations, leveraging frameworks such as the National Institute of Standards and Technology's (NIST) Cybersecurity Framework, among others. Where those authorities do not exist, the administration hopes to work with Congress to pass legislation to enable them.
Because many critical infrastructure organisations rely on cloud computing, the administration will identify gaps in the cloud computing industry and other essential third-party providers. In addition, the administration will further seek to harmonise its requirements with international obligations while urging state regulators to consider funding sources to meet those requirements.
This pillar also reinforces the often-cited but rarely fully realised goals of strengthening public-private collaboration to improve cybersecurity, fostering better government agency and department integration of cybersecurity, creating more updated federal incident response plans, and modernising national defenses.
Disrupt and dismantle threat actors
The second pillar in the strategy seeks to disrupt and dismantle threat actors whose actions threaten US national security.
It articulates plans to develop an updated Department of Defense strategy to clarify how US Cyber Command and other DoD arms will integrate cyberspace operations to proactively defend against state and non-state actors that pose strategic-level threats to the US.
The goal is to enable continuous, coordinated operations through the National Cyber Investigative Joint Task Force (NCIJTF) for whole-of-government disruption campaigns.
Regarding ransomware, which the strategy deems a national security threat, the administration is committed to mounting disruption campaigns.
The Joint Ransomware Task Force, co-chaired by the Cybersecurity and Infrastructure Security Agency (CISA), will "coordinate, deconflict, and synchronise" existing operations to disrupt ransomware operations.
The strategy also contemplates enhancing public-private operational collaboration, increasing the speed and scale of intelligence sharing and victim notification, preventing the abuse of US infrastructure, and generally combatting cybercrime and ransomware threats.
Shape market forces to drive security and resilience
The most significant aspect of this pillar is a shift in liability for insecure software products and services. "Too many vendors ignore best practices for secure development, ship products with insecure default configurations or known vulnerabilities, and integrate third-party software of unknown or unvetted provenance," the strategy states.
"Software makers are able to leverage their market position to fully disclaim liability by contract, further reducing their incentive to follow secure-by-design principles or perform pre-release testing."
The administration is proposing to shift responsibility onto software makers that fail to take reasonable precautions to secure their products and away from the end users who all too "often bear the consequences of insecure software."
To achieve this goal, the administration will work with Congress and the private sector to create a safe harbor framework to shield from liability companies that securely develop and maintain their products.
The safe harbor will draw from NIST's Secure Software Development Framework and other works.
The administration will also encourage coordinated vulnerability disclosure across all technologies, advance the development of software bills of materials (SBOMs), and develop a process for identifying and mitigating risk in widely used unsupported software.
The strategy further outlines how the administration will continue to seek improvements in IoT security, offer federal grants and other incentives to build security, leverage federal procurement to improve accountability, and explore a federal backstop to help deal with the rising cost of cyber insurance.
Invest in a resilient future
The fourth pillar of the strategy calls for the federal government to "leverage strategic public investments in innovation, R&D, and education to drive outcomes that are economically sustainable and serve the national interest."
It points to various existing programs, including the National Science Foundation's Regional Innovation Engine programs, while working with other countries to optimise cybersecurity technologies.
The most noteworthy aspect of this part of the strategy is the plan to strengthen the cybersecurity workforce and tackle the lack of diversity among cybersecurity professionals.
To this end, the Office of the National Cybersecurity Director will lead the development and implement a National Cyber Workforce and Education Strategy.
The strategy will build on existing efforts developed by the National Initiative for Cybersecurity Education (NICE) and others.
The administration further plans to engage in a "clean-up" effort to mitigate the most urgent problems plaguing foundational technologies of the internet, such as Border Gateway Protocol vulnerabilities, unencrypted domain name system (DNS) system requests, and the slow adoption of IPv6.
It will also prioritise the transition of vulnerable public network systems to quantum-resistant technology and urges the private sector to follow suit. Other efforts included in this pillar include accelerating the adoption of technology that secures a clean energy future and encouraging investments in robust verifiable digital identity solutions.
Enhance public-private operational collaboration to disrupt adversaries
The fifth pillar of the strategy seeks to bring together the public and private sectors to gain greater visibility into adversary activity. Private-sector partners are encouraged to work with the federal government through one or more nonprofit organisations, such as the National Cyber-Forensics and Training Alliance, and others for operational collaboration.
It also aims to increase the speed of intelligence sharing and victim notification by coordinating with sector risk management agencies (SRMAs) to identify intelligence needs and priorities and developing processes to share warnings, technical indicators, and other information to share with both government and non-government partners.
At the same time, the federal government will also review declassification to better provide actionable information to critical infrastructure owners and operators.
The government will also work with cloud infrastructure and other providers to identify malicious use of US-based infrastructure more quickly. The US will also work to combat cybercrime and ransomware by employing all elements of national power to combat these threats.
Praise balanced by realism
Experts generally praised the strategy but expressed concerns over the ability of the administration to carry out such an ambitious agenda.
"I think it's a well-done strategy," Michael Daniel, president and CEO of the Cyber Threat Alliance, tells CSO. "I'm very pleased that they were able to get a strategy document that has some substance to it out of the interagency process because that's not always a foregone conclusion."
"It actually takes on some tough issues that have been long-standing in the field, so it's not afraid to go there," Daniel says. "And some examples of those are the fact that it talks about imposing mandatory requirements, for example, and starting to look at the issues around liability for software manufacturers."
"We applaud the push to continue to modernise federal IT, update federal incident response plans and processes, and enhance public-private operation collaboration," Lauren Van Wazer, vice president of global public policy at Akamai, tells CSO. "All of these will help strengthen our collective cybersecurity defenses." But, she says, "This is an ambitious and time-consuming agenda, and much of it will require new legislation. Short of getting a second term, the administration has less than two years to implement a strategy that calls for both new legislation and regulation."
Megan Stifel, chief strategy officer for the Institute for Security and Technology, tells CSO, "I think the two key priorities are rebalancing the responsibility to defend cyberspace and thinking about incentives. This approach to those issues is long overdue." However, getting the necessary authorities passed through Congress will likely be a tough slog. "I think I would not expect much legislatively, which is not how it should be," she says.
"They want to do some creative things on collaboration, and I think that is great. It's a thoughtful document, and I think they have a big task ahead of them," Megan Brown, partner at Wiley, tells CSO. But Brown says she is disappointed in how regulatory the strategy is.
Citing the administration's reliance on existing legal authorities to impose new requirements on the pipeline and rail sectors, "I think those regulations are far from perfect and aren't a great model to try and expand to the rest of the economy."