No Match Found
The widely-anticipated US National Cybersecurity Strategy builds on existing cyber policy, largely reaffirming the structures, processes and policies laid out in 2018 — but with a more mature, still conventional approach. For example, it reaffirms 2016’s Presidential Policy Directive 41 (PPD/41) as the approach for the federal government’s response to any cyber incident.
The strategy’s vision remains for government agencies to work together as well as with private enterprise toward a common objective — strong, resilient economic, geopolitical and personal security. The comprehensive 39-page document makes for a veritable “wish list” that addresses ransomware, geopolitical threats, crypto money laundering, cloud security, operational technology, automation, modernization, cyber insurance and other issues.
Bringing the vision to life is not likely to be quick or easy, but the stage is set. Here are three shifts you need to watch: the strategy looks to hold software companies liable for cybersecurity failures, proposes regulations to protect critical infrastructure and advances a “defend-forward” approach coupled with law enforcement actions to disrupt malicious actors.
The strategy’s themes echo those in the 2018 document, especially the “sub-pillars” contained within its five main pillars — defend critical infrastructure, disrupt and dismantle threat actors, shape market forces to drive security and resilience, invest in a resilient future and pursue shared goals with international partnerships. But the 2023 strategy does break new ground in three key areas.
The strategy proposes shifting the “burden for cybersecurity” away from those who use software to those who design and sell it. Currently, it notes, software makers are able to avoid liability for any damages that might occur when vulnerabilities in their code result in a cybersecurity breach.
“Right now, we have a regime where the costs of liability are borne by the end user,” Acting National Cyber Director Kemba Walden said in a press conference discussing the new strategy. “That's just not effective.”
The administration plans to work with Congress toward legislation that would prevent software companies from disclaiming liability by contract, a common action noted by the strategy. But it isn’t all stick and no carrot. It also envisions incentives to encourage secure-to-market software development instead of the prevailing first-to-market approach today.
The strategy notes that mandatory cybersecurity requirements don’t exist in some sectors. As a result, some organizations have invested in strong security and others have not, effectively rewarding those that haven’t spent their resources in this way.
“Regulation can level the playing field,” the strategy states. But the playing field is already uneven, with some sectors more at risk or less profitable than others: education as opposed to finance, or critical manufacturing versus pipeline operators, for instance. A one-size-fits-all approach to regulation would be unrealistic and possibly unfair.
Instead, the strategy proposes to continue to offer sector-specific standards courtesy of the National Institute of Standards and Technology and reaffirms the approach CISA takes with sector risk management agencies (SRMAs). It also speaks of streamlining regulations so organizations can avoid contending with needless duplications.
The 2023 strategy adopts the “defend-forward” concept, an integrated approach introduced by the Department of Defense in 2018. It bolsters the role of the Justice Department and the FBI in leading the whole-of-government campaigns at the National Cyber Investigative Joint Task Force (NCIJTF). This approach brings together diplomatic tools and economic sanctions — along with military, intelligence and law enforcement capabilities and authorities— to counter nation-state threats as well as criminal entities such as those that spread ransomware.
Setting goals is one thing, reaching them quite another. Many of the objectives will require congressional action, which can be difficult, given split government control and narrow margins in both chambers.
Short of federal legislation for new authorities and regulation, the administration could turn to state governments and independent regulators. But the resulting patchwork of laws and rules would be contrary to the harmonization and the “light regulation” that the strategy calls for.
The short section on “Implementation” (running just over a single page of the report’s 39 pages) tells us that there’s much more to be done. Realizing the vision will be a multiyear effort, especially where Congress needs to act and where gaps need to be filled, the Acting National Cyber Director acknowledges.
Strengthen your collaboration with the government and sector information-sharing centers. The strategy places a premium on public-private cybersecurity collaboration. A good start is joining your Information Sharing and Analysis Center (ISAC), the Cyber Collaboration Center (CCC), the Joint Cyber Defense Collaboration (JCDC) or the National Cyber-Forensics and Training Alliance (NCFTA). If your enterprise is part of critical infrastructure, renew or nurture contacts at your SRMA and the local FBI field office. Capitalize on the integrated effort by the government to disrupt threat actor groups, ranging from nation-state actors to criminal groups.
Engage with regulators now. Savvy enterprises will prepare to get involved in the process as soon as possible. Stay abreast of new developments by talking to regulators and consider engaging in rulemaking or legislative processes to help your enterprise avoid being blindsided by regulations. Taking an active interest may provide the opportunity to shape the rules that could affect your company or sector.