What You Need to Know About the New National Cybersecurity StrategyBy understanding the changes to business norms that the National Cybersecurity Strategy sets, you can prepare yourself for any compliance requirements that these initiatives may create.
In March 2023, the White House published the National Cybersecurity Strategy. As more states introduce cybersecurity laws, the NCS acts as a set of guiding principles that guide basic cybersecurity hygiene at the national level. By recognizing that cybersecurity is essential to national economy, democracy, and privacy, the National Cybersecurity Strategy seeks to foster public-private sector collaboration while taking on systemic challenges.
In realigning the incentives, the National Cybersecurity Strategy paves the way for developing and enforcing rules and norms for how citizens and businesses conduct themselves on the internet.
By understanding the changes to business norms that the National Cybersecurity Strategy sets, you can prepare yourself for any compliance requirements that these initiatives may create.
Why is Having a National Cybersecurity Strategy Important?
The National Cybersecurity Strategy focuses on the way that digital transformation has changed the world. The internet created opportunities for new business models that enable innovation. As businesses adopt Internet of Things (IoT) devices, they can achieve efficiencies that enhance revenue and grow the US economy. Unfortunately, malicious actors try to undermine digital ecosystems.
Complex Digital Dependencies
Malicious actors look to exploit security weaknesses across increasingly interdependent software and systems. Citing the 2017 “NotPetya” attack, the National Cybersecurity Strategy notes that the potential cost of attacks will only continue to grow as systems become more interconnected and complex.
The recent data supports this claim. According to the 2023 Verizon Data Breach Investigations Report, Basic Web Application Attacks accounted for 25% of data breaches, with 1,315 of the 1,404 incidents having confirmed data disclosures.
Further, cyber attacks against industrial control systems can lead to physical harm. Malicious actors can exploit the operational technology (OT) and IT convergence to disrupt economic and social stability. Meanwhile, the financial services and healthcare industries move essential systems online, ultimately making cyberattacks more destructive.
Accessibility of Malicious Tools and Services
Today, offensive hacking tools and services are widely available to criminal syndicates, empowering countries that previously lacked the resources to harm the US. The National Cybersecurity Strategy notes that autocratic states increasingly leverage advanced cyber capabilities, threatening national security and seeking to destabilize international politics.
Moving beyond espionage and intellectual property theft, these criminal syndicates use malicious cyber activities to disrupt critical services and business.
What Are the Goals for the New Cybersecurity Strategy?
To build a path to cyber resilience, the National Cybersecurity Strategy outlines two fundamental shifts that need to occur so that digital ecosystems can be defensible, resilient, and values-aligned.
The National Cybersecurity Strategy recognizes that the people often responsible for security incidents are those with the least resources, going so far as to say:
A single person’s momentary lapse in judgment, use of an outdated password, or errant click on a suspicious link should not have national security consequences.
To protect digital ecosystems, the National Cybersecurity Strategy outlines that system owners, operators, and providers should be held responsible. To rebalance responsibilities, the government must:
Protect its systems.
Ensure private entities protect their systems.
Impose economic costs.
To defend the shared digital ecosystem, private and public entities must collaborate more effectively.
The National Cybersecurity Strategy notes that realigning incentives must be done in two ways. First, entities must invest resources in defending current systems. Second, they must build future systems in more defensible and resilient ways.
Moving forward, the federal government plans to use use its purchasing power and public programs to reward:
Building a robust, diverse cyber workforce.
Embracing security and resilience by design.
Cybersecurity research and development investments.
How Will the New Cybersecurity Strategy Achieve its Goals?
Although the National Cybersecurity Strategy is not a law, it does provide insight into how the federal government will focus future legislative and regulatory agency objectives. Building on current regulations and previous executive orders, the National Cybersecurity Strategy’s five pillars align with and further pre-existing efforts for securing federal systems and collaborating with the private sector.
Defend Critical Infrastructure
Using the “Shield’s Up” campaign as an example, the National Cybersecurity Strategy explains that the country needs a predictable regulatory cybersecurity framework focused on security and operational continuity.
Federal cybersecurity initiatives, like the zero trust architecture strategy and modernized digital infrastructures, can be models for critical infrastructure. Specifically, the document outlines the following strategic objectives:
Standardized regulatory requirements across industries and incentivize cybersecurity investments
Coordination between the critical infrastructure owners/operators and CISA
Federal Cybersecurity Centers for a single point of contact across government agencies
Clear guidance for private sector entities that need support during and after cyber incidents
Modernizing federal systems with zero trust principles
Disrupt and Dismantle Threat Actors
The National Cybersecurity Strategy builds on the successes of previous activities. For sustained and effective adversary disruption, the document outlines the following strategic objectives:
Developing technical and organizational resources that make criminal cyber activity unprofitable and nation-state activities ineffective
Using virtual collaboration platforms for more routine collaboration
Creating processes for sharing warning, technical indicators, and threat context across government and private partners
Enacting an implementing a risk-based approach to cybersecurity across Infrastructure-as-a-Service (SaaS) providers
Engaging in disruption campaigns to undermine ransomware’s profitability
Shape Market Forces to Drive Security and Resilience
To shift responsibility away from vulnerable people and entities, the National Cybersecurity Strategy outlines an aggressive plan for using federal purchasing power and grant-making to incentive security. The strategic objectives that support this initiative are:
Establishing laws with robust, clear limits around collecting, using, transferring, and maintaining personal data
Using federal research and development (R&D), procurement, and risk management to drive IoT security
Establishing liability laws for software products and services to shape standards of care, coordinate vulnerability disclosures, promote Software Bills of Materials (SBOMs), and develop risk identification and mitigation strategies for unsupported software
Leveraging federal grant programs to invest in products and services that are secure- and resilient-by-design
Requiring all federal government contractors to follow and live up to cybersecurity best practices
Assessing whether to support the cyber insurance market for catastrophic cyber events
Invest in a Resilient Future
Building on the federal government’s ability to leverage market forces, the National Cybersecurity Strategy discusses the important role that public investments in innovation, R&D, and education play.
The following objectives will enable the government to build a modern industrial and innovation strategy:
Securing the public interest by reducing inherent risks arising from technologies like Border Gateway Protocol vulnerabilities, unencrypted Domain Name System requests, and slow adoption of IPv6
Investing in research and innovation to secure computing related technologies, quantum information systems, artificial intelligence, biotechnologies, biomanufacturing, and clean energy
Investing in hardware, software, and services that quantum computing can’t easily compromise
Creating proactive cybersecurity requirement for clean energy technologies
Developing digital identity policies and technologies that protect security while promoting transparency and measurement
Developing and implementing a National Cyber Workforce and Education Strategy to reduce the talent gap and improve diversity
Forge International Partnerships to Pursue Shared Goals
The globally shared digital ecosystem is more resilient and defensible when countries work against common problems and toward common goals. To build coalitions of international allies and partners, the National Cybersecurity Strategy sets out the following objectives:
Working and sharing information with various multinational allies and partners to build collaborative law enforcement mechanisms
Pursuing coordinated and effective international efforts through cross-agency and public-private collaboration
Establishing policies for when and how to support allied and partner nations when they must respond to a significant cyberattack
Using diplomatic strategies to hold nation-states accountable for irresponsible cyber activities
Reducing the dependency on products and services from untrusted foreign suppliers to rebalance global supply chains
Compliance and the National Cybersecurity Strategy
The National Cybersecurity Strategy is not a law or agency requirement. However, it provides insight into the cybersecurity initiatives that agencies, congress, and the Executive branch will likely introduce over the next five to ten years.
Most importantly, the National Cybersecurity Strategy discusses the important role that all federal agencies—not just the Department of Defense—play when it comes to being data protection role models. Further, the document reinforces the impact that federal spending can have across R&D and vendor contracts.
Ultimately, the National Cybersecurity Strategy foreshadows future legislative and regulatory agency activities that companies need to begin preparing for from now.
For more industry updates and insights, sign up for Trusted, our bimonthly newsletter.