Feds Release National Cybersecurity Roadmap
The U.S. government released its widely anticipated National Cybersecurity Strategy on Tuesday, pushing mandatory regulation on critical infrastructure vendors and green-lighting a more aggressive ‘hack-back’ approach to dealing with foreign adversaries and ransomware actors.
The strategy is just that, a roadmap. While parts of it can be done without Congress’ approval, lots of it require additional authority. Given that the House is not friendly to anything the President wants, that could be a hard sell. On the other hand, it could be the basis for a trade. Also politics being what it is, the President could jawbone that the Repubs are against securing cyberspace, which has the wrong optics with an election year coming up. Who knows. In any case, here is a brief outline.
The strategy, divided by five pillars, seeks to:
- Defend Critical Infrastructure
- Disrupt and Dismantle Threat Actors
- Shape Market Forces to Drive Security and Resilience
- Invest in a Resilient Future
- Forge International Partnerships to Pursue Shared Goals
The strategy also gives high-level authorization to law enforcement and intelligence agencies to “disrupt and dismantle threat actors,” including foreign APT campaigns and data-extortion ransomware groups. The objective is to make cybercrime unprofitable. Stay tuned on that one.
The White House says that the country has to do two things:
- We must rebalance the responsibility to defend cyberspace by shifting the burden for cybersecurity away from individuals, small businesses, and local governments, and onto the organizations that are most capable and best-positioned to reduce risks for all of us.
- We must realign incentives to favor long-term investments by striking a careful balance between defending ourselves against urgent threats today and simultaneously strategically planning for and investing in a resilient future.
Together with our allies and partners, the United States will make our digital ecosystem:
- Defensible, where cyber defense is overwhelmingly easier, cheaper, and more effective;
- Resilient, where cyber incidents and errors have little widespread or lasting impact; and,
- Values-aligned, where our most cherished values shape—and are in turn reinforced by— our digital world.
According to the White House, here is the approach:
This Strategy seeks to build and enhance collaboration around five pillars:
1. Defend Critical Infrastructure – We will give the American people confidence in the availability and resilience of our critical infrastructure and the essential services it provides, including by:
- Expanding the use of minimum cybersecurity requirements in critical sectors to ensure national security and public safety and harmonizing regulations to reduce the burden of compliance;
- Enabling public-private collaboration at the speed and scale necessary to defend critical infrastructure and essential services; and,
- Defending and modernizing Federal networks and updating Federal incident response policy
2. Disrupt and Dismantle Threat Actors – Using all instruments of national power, we will make malicious cyber actors incapable of threatening the national security or public safety of the United States, including by:
- Strategically employing all tools of national power to disrupt adversaries;
- Engaging the private sector in disruption activities through scalable mechanisms; and,
- Addressing the ransomware threat through a comprehensive Federal approach and in lockstep with our international partners.
3. Shape Market Forces to Drive Security and Resilience – We will place responsibility on those within our digital ecosystem that are best positioned to reduce risk and shift the consequences of poor cybersecurity away from the most vulnerable in order to make our digital ecosystem more trustworthy, including by:
- Promoting privacy and the security of personal data;
- Shifting liability for software products and services to promote secure development practices; and,
- Ensuring that Federal grant programs promote investments in new infrastructure that are secure and resilient.
4. Invest in a Resilient Future – Through strategic investments and coordinated, collaborative action, the United States will continue to lead the world in the innovation of secure and resilient next-generation technologies and infrastructure, including by:
- Reducing systemic technical vulnerabilities in the foundation of the Internet and across the digital ecosystem while making it more resilient against transnational digital repression;
- Prioritizing cybersecurity R&D for next-generation technologies such as postquantum encryption, digital identity solutions, and clean energy infrastructure; and,
- Developing a diverse and robust national cyber workforce
5. Forge International Partnerships to Pursue Shared Goals – The United States seeks a world where responsible state behavior in cyberspace is expected and reinforced and where irresponsible behavior is isolating and costly, including by:
- Leveraging international coalitions and partnerships among like-minded nations to counter threats to our digital ecosystem through joint preparedness, response, and cost imposition;
- Increasing the capacity of our partners to defend themselves against cyber threats, both in peacetime and in crisis; and,
- Working with our allies and partners to make secure, reliable, and trustworthy global supply chains for information and communications technology and operational technology products and services.
How this turns out is unknown. It requires a lot of trust and cooperation, including between the government and private industry and between the US and other countries.
The Republican response has been mixed. Parts of it, like getting tougher on China, they like. Parts of it, like making big companies financially liable for releasing software which is not secure – that they don’t like so much. What they would like to do is return to the days of ex-president Trump, where they just ignored the problem. That worked really well. No regulation, less costs on big business and the consumers (both individuals and small businesses), get to deal with the mess.
Personally, I don’t think the strategy of the last administration worked and if we return to that, I think it will be a disaster, but this is politics, not sanity.
Stay tuned.
Credit: Security Week, The White House, CSIS (Video), The Record