The Biden Administration recently introduced a new national cybersecurity strategy, expected to aggressively address an increasingly complex and dangerous threat landscape.
Improving cybersecurity may not be the top priority for the Biden Administration, but it is an issue that the White House has been focused on since the earliest days of President Biden’s tenure. For example, in May 2021, Biden issued an executive order that emphasized sharing information about threats and modernizing cybersecurity across the federal government. In 2022, President Biden signed the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA), which requires “the Cybersecurity and Infrastructure Security Agency (CISA) to develop and implement regulations requiring covered entities to report covered cyber incidents and ransomware payments.”
In March 2023, the White House announced its plans for a national strategy that puts the burden of cybersecurity on organizations most capable of reducing risks. It also seeks to find the balance between defending against today’s threats while planning and investing in cybersecurity solutions for the future.
The executive order lists five pillars to build this strategy:
- Defend critical infrastructure
- Disrupt and dismantle threat actors
- Shape market forces to drive security and resilience
- Invest in a resilient future
- Forge international partnerships to pursue shared goals.
“New cybersecurity standards will benefit companies and consumers,” Walt Szablowski, Founder and Executive Chairman of Eracent, said in an email statement. “We’ve passed the point of needing security tools, and we need the right process to coordinate security.”
America’s cyber social contract
The digital world is filled with risk — to our networks, to our data and to our financial standing. But what keeps us from meeting the true potential of the cyber world is a lack of true cybersecurity governance.
“The United States needs a new social contract for the digital age — one that meaningfully alters the relationship between public and private sectors and proposes a new set of obligations for each,” Chris Inglis and Harry Krejsa wrote in a Foreign Affairs article.
The new executive order addresses that social contract, Kemba Walden, the acting national cyber director, said in a media call announcing the national cybersecurity strategy. It will shift the balance of cybersecurity responsibility to those that are most able to manage the risk. This, in turn, should trickle down to offer a solid security approach to small businesses and individuals. Software vendors will need to step up their efforts to meet cybersecurity best practices. The White House’s cybersecurity team has been pushing for the application of zero trust principles, better threat sharing across public and private sectors and improved cloud security.
“Next-generation technologies are reaching maturity at an accelerating pace, creating new pathways for innovation while increasing digital interdependencies,” the executive order stated. This strategy will offer a path to build security into the technologies of the future, as well as help develop policies to defend the current threat landscape.
New standards and expectations for critical infrastructure security
The Government Accountability Office (GAO) has called for improving cybersecurity around critical infrastructure since 2010, stating that with increased connectivity, distribution systems are more vulnerable than ever to attack. The Colonial Pipeline cyber incident showed how a single ransomware attack could create chaos. All it took was a threat actor who exploited a company’s poor cybersecurity practices.
The executive order directly addresses cybersecurity surrounding critical infrastructure. It prioritizes expanding minimum security requirements, as well as improving the public and private sector collaboration needed to develop a more expedient and effective cyber incident response.
One of the first actions after the executive order was introduced came from the Transportation Security Administration (TSA), which issued an amendment addressing cybersecurity in the aviation industry. Airport and aircraft operators are to develop an implementation plan outlining the ways they plan to improve their cybersecurity and decrease disruptions caused by a potential cyber incident.
Perhaps the most important aspect of the standards for critical infrastructure security is the call to streamline regulations across multiple infrastructure disciplines. Each sector will determine worst-case scenarios and the greatest impact caused by a cyberattack, and guidelines will be created from these findings.
A new strategy for cloud security
Organizations of all sizes are migrating to the cloud. More frequently, state-sponsored threat actors are taking advantage of weak cloud security to launch attacks. Recognizing this, the White House’s cybersecurity strategy calls on cloud services to be part of all new regulations, especially considering the role of cloud computing in critical infrastructure. Government agencies will need to work closely with cloud providers to not only detect potential threats but also to share that information.
Cloud providers will play a large role in the cybersecurity strategy. They will carry the burden of more accountability for securing critical infrastructure and meeting best practices. On the government’s side, there will be a greater push by the Office of Management and Budget (OMB) to twilight legacy systems while modernizing technology and encouraging more cloud migration. This move will allow government agencies to better implement a zero trust framework.
Going on the offensive to disrupt threat actors
When talking about defending valuable network assets, cybersecurity professionals often warn that your security system needs to be right all the time, but the threat actors only need to be right once. This is an attitude that focuses heavily on defense. The new security strategy wants to go on the offense and disrupt and dismantle those who threaten our network infrastructure.
One goal is to create disruption campaigns that make it not only more difficult for threat actors to succeed but also to make their attempts unprofitable. This will require cybersecurity systems that are constantly monitoring and addressing potential threats. Additionally, a second goal is to build close collaboration between the public and private sectors to share threat information quickly.
The new cybersecurity strategy isn’t perfect. It doesn’t factor in the skills shortage and finding analysts to manage the security operations center. It is also very specific in its scope and misses out on a wide range of cybersecurity issues facing organizations. But it is a step forward, encouraging public and private sector collaboration and putting the onus of cybersecurity on the entities best equipped to handle it.