The Biden administration released its much-anticipated National Cybersecurity Strategy today, with multiple focus points including continuing efforts to improve security in already-regulated critical infrastructure sectors, a high-level goal of shifting more security responsibility onto providers of tech products and services, and a robust focus on using “all tools of national power” to go after attackers.
The White House said that implementation of the strategy is “already underway” and being coordinated by the Office of the National Cyber Director (ONCD), which produced the strategy.
Shifts in Thinking
At the top line, the strategy released by the White House and the ONCD its Office of National charts a course of “fundamental shifts” in U.S. thinking about “roles, responsibilities, and resources in cyberspace.” Three major themes spring from that thinking:
- The U.S. needs to “rebalance” the responsibility to defend cyberspace by “shifting the burden for cybersecurity away from individuals, small businesses, and local governments, and onto the organizations that are most capable and best-positioned to reduce risks for all of us”;
- The U.S. needs to “realign incentives to favor long-term investments by striking a careful balance between defending ourselves against urgent threats today and simultaneously strategically planning for and investing in a resilient future”; and
- The U.S. needs to use “all tools of national power in a coordinated manner to protect our national security, public safety, and economic prosperity.”
The long-term goal, the cyber strategy says, is to join with allies and partners to make the cyber defense of the digital ecosystem “overwhelmingly easier, cheaper, and more effective,” and to make the ecosystem more resilient so that “cyber incidents and errors have little widespread or lasting impact.”
The White House said those goals are already being pursued through existing executive orders to improve cybersecurity for government and critical infrastructure sectors, migrate government toward zero trust security architectures, and begin to mitigate adverse eventual cyber impacts from quantum computing.
“Expanding on these efforts, the Strategy recognizes that cyberspace does not exist for its own end but as a tool to pursue our highest aspirations,” the White House said today.
Getting There – Critical Infrastructure
On the critical infrastructure front, the new strategy aims to expand the use of “minimum cybersecurity requirements” across the 16 critical infrastructure sectors already defined by the Department of Homeland Security (DHS) to “ensure national security and public safety.” The strategy also aims at “harmonizing regulations to reduce the burden of compliance.”
In addition, the strategy aims to enable “public-private collaboration at the speed and scale necessary to defend critical infrastructure and essential services.”
For government systems, the strategy is prioritizing “defending and modernizing Federal networks and updating Federal incident response policy.”
“With respect to industry, we will identify gaps and reduce burdens in existing authorities where targeted and narrow regulations are necessary to improve public safety and cybersecurity,” said Kemba Walden, Acting National Cyber Director, during a press briefing late Wednesday.
“The strategy will defend critical infrastructure by expanding minimum cybersecurity requirements for critical sectors, enabling public-private collaboration, and ensuring that our systems are kept to the level needed to meet the threat,” said Anne Neuberger, deputy national security advisor for cyber and emerging technology in the Biden Administration, during a Wednesday press briefing.
“It’s critical … that the American people have confidence in the availability and resiliency of our critical infrastructure and the essential services it provides,” she said.
“A lot of the work we’ve done on critical infrastructure is already underway,” Neuberger said. “This strategy codifies the first two years of putting in place minimum cybersecurity requirements for pipelines, for railways, and, shortly, for additional sectors, we’ll be announcing.”
“We recognize that we need to move from just a public-private partnership, information-sharing approach to implement minimum mandates,” she said. “Information sharing and public-private partnerships are inadequate for the threats we face when we look at critical infrastructure.”
“We’ve made major progress in executing this as a core Biden administration commitment in the first two years, and we’ll continue to carry it forward with the executive branch authorities we have in place and work with Congress to develop those limited additional authorities we may still need,” she said.
Taking the Fight to Adversaries
While the strategy is necessarily short on any description of tactical plans, it makes clear that the U.S. plans to mount a tougher fight against cyber threat actors wherever they may be.
With the aim of disrupting and dismantling threat actors, the strategy pledges by “using all instruments of national power, we will make malicious cyber actors incapable of threatening the national security or public safety of the United States.”
Part of that effort, the strategy says, will include “engaging the private sector in disruption activities through scalable mechanisms.”
The strategy also singles out ransomware attacks, and pledges to address that threat “through a comprehensive Federal approach and in lockstep with our international partners.”
On the ransomware front, Neuberger said the strategy reflects a new thinking in which ransomware is considered a national security issue.
“As we continue our focus on disrupting and dismantling threat actors, we’re elevating our work on ransomware, declaring ransomware a threat to national security rather than just a criminal challenge,” she said.
“This is something we’ve already begun to tackle through domestic work targeting the most virulent ransomware actors — I’d call out the FBI’s work against Hive as an example — and with 36 partners and the European Union in the international counter ransomware initiative, which just had its first anniversary in October,” she said.
Drilling down into the international part of the effort, the strategy also aims to:
- Leverage “international coalitions and partnerships among like-minded nations to counter threats to our digital ecosystem through joint preparedness, response, and cost imposition”;
- Help U.S. partners to increase the ability to defend themselves against cyber threats, “both in peacetime and in crisis”; and
- Work with allies to “make secure, reliable, and trustworthy global supply chains for information and communications technology and operational technology products and services.”
“For government, we have a duty to the American people to also double down on tools that only government can wield, including the law enforcement and military authorities to disrupt malicious cyber activity and pursue their perpetrators,” Walden said.
“And we will continue to invest in information sharing, operational collaboration, and other forms of partnership with the private sector,” she said.
“The strategy is really being released at a pivotal moment, at a very timely moment,” Neuberger.
“Looking back at the last 24 months of the Biden-Harris administration and especially over the last year as we recently hit the one-year mark of the war in Ukraine, we’ve seen the cyber threat be at the forefront of geopolitical crises,” she said. “And as we know, the threat is not only Russia – we’ve seen destructive cyber and ransomware attacks executed by cybercriminals and other countries across the globe.”
“Here at home, we’re no stranger to these sorts of threats, which is important, because the Biden administration’s fundamental commitment is that Americans must be able to have confidence that they can rely on critical services, hospitals, gas pipelines, air/water services even if they are being targeted by our adversaries,” she said.
“That’s why the Biden-Harris administration has worked tirelessly over the last two years to deliver on that commitment by building a more resilient cyber infrastructure to protect the services we all rely on daily, and also to strengthen our international partnerships, because cyber threats are fundamentally transnational threats,” Neuberger said. “They cross borders.”
“That’s exactly what the strategy captures and sets out to continue to do, drawing direction and inspiration from the National Security Strategy, and establishing an affirmative vision for a secure cyberspace that creates opportunities to achieve our collective aspirations,” she said.
“It endeavors to make a stronger and more resilient cyber infrastructure for the American people and our allies and partners around the world.”
Shifting the Security Burden
Under the heading of shaping market forces, the strategy pledges to “place responsibility on those within our digital ecosystem that are best positioned to reduce risk and shift the consequences of poor cybersecurity away from the most vulnerable to make our digital ecosystem more trustworthy.”
Strategies toward that end include “shifting liability for software products and services to promote secure development practices” – an effort that is already underway at the Federal government level through the development of software bills of material, among other means.
The strategy also aims to harness Federal grant programs to “promote investments in new infrastructure that are secure and resilient.”
“The President’s strategy fundamentally reimagines America’s … cyber-social contract,” said Walden.
“It will rebalance the responsibility for managing cyber risk onto those who are most able to bear it,” she said. “Today, across the public and private sectors, we tend to devolve responsibility for cyber risk downwards. We ask individuals, small businesses, and local governments to shoulder a significant burden for defending us all. This isn’t just unfair, it’s ineffective. “
“The biggest, most capable, and best-positioned actors in our digital ecosystem can and should shoulder a greater share of the burden for managing cyber risk and keeping us all safe,” Walden said. “This strategy asks more of industry, but also commits more from the federal government.”
“Simply shifting the burden for security, though, won’t solve all of our problems if we don’t start thinking in terms of long-term solutions,” Walden emphasized.
“There are very real near-term risks, legal requirements, and commercial incentives that cause us to prioritize short-term approaches over long-term solutions,” she said. “But it’s not enough just to manage the threats of today. We need to invest in a tomorrow that is more inherently defensible and resilient.”
“To do that, we need to make it so that when public- and private-sector entities face tradeoffs between easy but temporary fixes and durable and long-term solutions, they are incentivized to consistently choose the latter,” she said.
Further on the investment front, the strategy says the U.S. will aim to increase cyber resilience through a variety of means.
- Strategic investments and collaborative action to “continue to lead the world in the innovation of secure and resilient next-generation technologies and infrastructure”;
- “Reducing systemic technical vulnerabilities in the foundation of the Internet and across the digital ecosystem while making it more resilient against transnational digital repression;
- “Prioritizing cybersecurity R&D for next-generation technologies such as postquantum encryption, digital identity solutions, and clean energy infrastructure”; and
- Developing a diverse and robust national cyber workforce.