The White House has released its National Cybersecurity Strategy, which envisions a much greater role for US software and technology providers in combating the growing number of cyber threats.
Posted on March 3, 2023, the strategy lays out the Biden administration’s plan to make two fundamental changes to the way the US approaches cybersecurity.
The first change involves much closer collaboration between government and industry, and the strategy notes that organizations with the necessary expertise and resources should be the ones to shoulder the burden of dealing with cyber threats.
“Our collective cyber resilience cannot depend on the constant vigilance of our smallest organizations and individual citizens,” he said. “Instead, in both the public and private sectors, we must ask more of the most capable and best positioned actors to make our digital ecosystem secure and resilient.”
He added that this would include various national and federal cybersecurity agencies or initiatives, as well as a wide range of private actors: “The federal government [will] also deepen operational and strategic collaboration with software, hardware, and managed service providers with the ability to reshape the cyber landscape in favor of greater security and resilience.”
Biden previously signed an Executive Order in May 2021 to strengthen America’s cyber defenses, with a heavy emphasis on public-private partnerships and information sharing, which the administration described at the End-shutdown as “the first of many ambitious steps “to modernize the US’ cyber defenses.
He later signed a new cybersecurity incident reporting mandate into law in March 2022, making it a legal requirement for operators of critical national infrastructure to disclose cyberattacks to the US government.
In addition to rebalancing the responsibility to defend cyberspace, the strategy also aims to realign incentives to favor long-term investment so that the US can make its cyberspace “more inherently defensible and resilient” in the future. .
“We must ensure that market forces and public programs reward security and resilience, build a robust and diverse cyber workforce, embrace security and resilience by design, strategically coordinate investments in cybersecurity research and development and promote collaborative stewardship of our digital ecosystem. ,” she said.
To achieve these two “fundamental shifts” in the US cybersecurity approach, the strategy outlines five pillars: defending critical infrastructure; disrupt and dismantle threat actors; shape market forces to drive security and resilience; invest in a resilient future; and forge international alliances to pursue shared goals.
Regarding the role of the private sector, the White House said in a fact sheet whereas these pillars would imply allowing public-private collaboration to work at the speed and scale required; engage the private sector I threats disruptive activities of the actor; and deflect responsibility for security flaws to software companies
More generally, he added, the White House will work to expand the use of minimum cybersecurity requirements; modernize federal networks and incident response policies; promote the privacy and security of personal data; and strategically employ “all the tools of national power” to disrupt adversaries.
The strategy would be implemented by the National Security Council (NSC) in coordination with the Office of Management and Budget (OMB) and the Office of the National Cyber Director (ONCD), who will have the task of making annual reports to the president and congress on the strategy effectiveness.
Brian Fox, co-founder and CTO of software supply chain management company Sonatype, who helped develop the strategy, praised the strategy’s move to ensure vendors are more accountable for security risks. cybernetics.
“Log4shell was the impetus for calls to action for better software supply chain security from governments around the world,” he said, adding that the strategy is a “historic moment for the industry” that indicates a nuanced understanding of the current threat landscape.
“Market forces are leading to a race to the bottom in certain industries, while contract law allows software providers of all kinds to protect themselves from liability…the strategy rightly begins by removing the ability of software providers to disclaim all responsibility, while acknowledging that even a perfect security process cannot guarantee perfect results.”
He added that the strategy also moves to retain companies that collect massive amounts of information and then leave that information open to attackers with few resources to hold them accountable.
“Without regulatory changes, the ramifications of these types of violations can be enormous for consumers, while the resulting lawsuits equate to a rounding error and cost of doing business for these companies,” he said. “Changing the dynamics of accountability is the only way to drive the right results. But it’s just the beginning of a much bigger conversation.”
Michael McPherson, ReliaQuest’s senior vice president of security operations, also welcomed the strategy, saying it “affirms the whole-of-government approach to partner closely with the private sector to impose maximum impact on the adversary.”
“Ultimately, the US government wants to degrade the adversary’s ecosystem and impose consequences for their illicit activities,” he added. “Agencies like the FBI will continue to play a leadership role in coordinating efforts and conducting these disruption operations. While there will be enormous challenges in collaborating with the private sector, this strategy outlines that it is imperative for national security.”