The Biden-Harris administration has introduced a new national cybersecurity strategy that emphasizes shifting the burden for cyber from individuals and small businesses to organizations most capable of reducing risks for all citizens.
In shifting focus of responsibility away from the victims of cybercrimes, the new plan focuses on strengthening the public-private partnerships that will encourage security firms to share knowledge of cybercriminals networks.
“In this decisive decade, the United States will reimagine cyberspace as a tool to achieve our goals in a way that reflects our values: economic security and prosperity; respect for human rights and fundamental freedoms; trust in our democracy and democratic institutions; and an equitable and diverse society,” the White House said. “To realize this vision, we must make fundamental shifts in how the United States allocates roles, responsibilities, and resources in cyberspace.”
Two pillars of the strategy
Usually, the federal government would push for companies to voluntarily report intrusions in their systems and patch programs regularly to fix newly discovered vulnerabilities. Now, the strategy suggests that these good-faith efforts are insufficient and companies will be required to meet minimum cybersecurity standards.
The new national strategy contains two major pillars, both of which are transformational shifts in how the US operates in cyberspace.
The first pillar is the rebalancing of responsibility to defend cyberspace by shifting the burden of responsibility from individuals, small businesses and local governments to larger entities with more capabilities.
The second is a realignment of incentives to favor long-term investments through a balance of defending against urgent threats today and simultaneously planning for and investing in a resilient future.
National Cyber Strategy approach
The national cybersecurity strategy seeks to build and enhance collaboration around five different categories, including:
- Defend Critical Infrastructure, which will include expanding minimum cybersecurity requirements in critical sectors, enabling public-private collaboration, defending and modernizing federal networks and updating the federal incident response policy.
- Disrupt and Dismantle Threat Actors, which sees the strategic employment of all tools of national power to disrupt adversaries, engaging the private sector in disruption activities through scalable mechanisms and addressing the ransomware threat in lockstep with international partners.
- Shape Market Forces to Drive Security and Resilience, which includes promoting privacy and security of personal data, shifting liability for software products and services to promote security development practices and ensuring federal grant programs promote investments in new, secure and resilient infrastructure.
- Invest in a Resilient Future, which includes reducing systemic technical vulnerabilities across the digital ecosystem, prioritizing cybersecurity R&D for next-gen technologies and developing a diverse and robust national cyber workforce.
- Forge International Partnerships to Pursue Shared Goals, which will include leveraging international coalitions to counter threats, increasing the capacity of partners to defend themselves and working allies and partners to make sure, reliable and trustworthy global supply chains for information and communications technology and operational technology products and services.
Private-sector impact
It is important to note that this new cybersecurity strategy is a policy document and not an outright executive order. If the strategy is enacted into new regulations and laws, it would force companies to implement minimum cybersecurity requirements for critical infrastructure.
This would potentially impose liability on companies that fail to secure their code in accordance with these regulations.
Further, the strategy emphasizes prioritizing cybersecurity R&D for next-generation technologies, such as cloud and clean energy technologies,. However, some experts believe that emerging technologies will test the viability of the strategy itself.
Ari Jacoby, a technology executive focusing on using AI to fight fraud, told ABC News that the same advantages seen in AI tools are vulnerable to nefarious use. Publicly available information on software engineering could allow hackers to use chatbots to generate or enhance malicious computer code. The opposite side of that coin is that AI is designed to be nimble and account for new developments in the shifting cybersecurity landscape.
When speaking with the New York Times, National Cyber Director Kemba Walden emphasized the importance of cloud computing service providers and the role they play in securing data . The strategy as a whole recognizes that the private sector is a critical dependency for national security.