Pledging to coordinate all tools at its disposal to protect national security, public safety, and the economy, the Biden administration revealed a new National Cybersecurity Strategy this week and proposed a rethink on how the United States tackles the digital sphere and its security.
The proposal was built on two concepts: a need to rebalance cyberspace defense responsibilities and realign incentives in favor of long-term investments. In terms of the first, the government called for shifting the burden of cybersecurity away from individuals, small businesses, and local governments and instead putting the onus on organizations most capable and best-positioned to address the risks involved. Owing to the rapid evolutions of the digital space, it also urged a careful balance of defending against current threats and strategically planning – and investing – for ways to meet future demands.
While noting that implementation of this strategy is already underway, the White House stressed that its approach consists of five pillars:
- Defending critical infrastructure
- Disrupting and destroying threats
- Shaping market forces toward security and resilience
- Invest in resilience
- International partnerships
These efforts are being directed by the Office of the National Cyber Director, created in 2021 to advise the president on matters related to cybersecurity. In this way, it complements organizations like the Cybersecurity and Infrastructure Security Agency (CISA), an agency of the Department of Homeland Security (DHS). The latter agency was also among those bolstered by the new strategy.
“This National Cybersecurity Strategy establishes a clear vision for a secure cyberspace,” Homeland Security Secretary Alejandro Mayorkas said in a statement. “The Department of Homeland Security continuously evolves to counter emerging threats and protect Americans in our modern world. We will implement the President’s vision outlined in this Strategy, working with partners across sectors and around the globe to provide cybersecurity tools and resources, protect critical infrastructure, respond to and recover from cyber incidents, and pave the way for a more secure future.”
Under the new plan, CISA will work to improve its work defending Federal Civilian Executive Branch systems and modernizing federal networks while pursuing investigations and working to disrupt ransomware criminals. It emphasized the importance of public-private sector collaboration in the future. In that regard, it also urged Congress to codify DHS’s Cyber Safety Review Board as a means for federal and private sector cyber leaders to engage in fact-finding missions and recommend change following major cyber incidents. CISA was also designated as the leader for updates to the National Cyber Incident Response Plan.
Those specifics aside, the National Cybersecurity Strategy also spelled out a lot of general focus for the administration going forward. In defending critical infrastructure, it underscored expanding the use of minimum cybersecurity requirements in critical sectors, building public-private collaboration, and defending and modernizing federal networks while updating incident response policy. To hit back at malicious cyber criminals, it called for using all tools of national power and engaging with the private sector for scalable mechanisms of response and disruption.
This will also play out in the market, where the government hopes to turn consequences away from the most vulnerable and, without ending the promotion of privacy and personal data security, to shift liability for software products and services for more secure development practices while investing more federal grants into secure and resilient infrastructure. Resilience was a key focus here, with the new strategy focused on reducing systemic technical vulnerabilities baked into the Internet’s foundations, cybersecurity research and development, and developing a national cyber workforce.
Many efforts will also take to the world stage – appropriate for a digital world. The United States will emphasize international partnerships for cyberspace enforcement, security, reliability, and trustworthiness in and around the supply chains of information, communications technology, and operational technology products and services.
“Our rapidly evolving world demands a more intentional, more coordinated, and more well-resourced approach to cyber defense,” a White House statement on the strategy said. “We face a complex threat environment, with state and non-state actors developing and executing novel campaigns to threaten our interests. At the same time, next-generation technologies are reaching maturity at an accelerating pace, creating new pathways for innovation while increasing digital interdependencies. This Strategy sets out a path to address these threats and secure the promise of our digital future.”