The White House on Thursday released its highly anticipated National Cyber Security Strategy. The new federal policy assigns more digital security responsibility to tech firms instead of more federal regulations.
The policy document urges a greater mandate on the firms that control most of the country’s digital infrastructure. It also propagates an expanded government role to disrupt hackers and state-sponsored entities.
But the strategy lays out a cybersecurity roadmap for new laws and regulations over the next few years aimed at helping America prepare for and fight emerging cyber threats. It sets the pace of government actions in the long run:
- Explore a national insurance backstop in case of a catastrophic cyber attack to complement the existing cyber insurance market;
- Focus on protecting critical infrastructure by expanding minimum security requirements to specific sectors and streamlining regulations;
- Treat ransomware as a threat to national security, not just a criminal issue.
This triggers a fundamental directional shift in the government’s cyber security approach. The shift in focus reflects how the United States allocates roles, responsibilities, and resources in cyberspace.
It also balances the responsibility of protecting cyberspace by shifting the burden of cyber security from individuals, small businesses and local governments. Instead, according to policy pronouncements, the most capable and best-positioned organizations have an obligation to mitigate the risks to all of us.
“The strategy recognizes that the government must use all instruments of national power in a coordinated manner to protect our national security, public safety and economic prosperity,” the White House said in its announcement.
The Biden-Harris strategy seeks to build and enhance collaboration around five pillars:
- protect critical infrastructure;
- disrupted and disintegrated threat actors;
- shaping market forces to drive security and resilience;
- Invest in a resilient future through strategic investments and coordinated, collaborative action to lead the world in innovation of secure and resilient next-generation technologies and infrastructure;
- Forge International Partnership to Pursue Common Goals
According to the policy statement, along with those standards, the newly tapped global allies and partners will make the United States’ digital ecosystem defensive, resilient, and aligned with values.
Federal Cyber Security Requirements, Enforcement
Eric Noonan, CEO of CyberSheth, proposed that the federal government commit explicitly and meaningfully to expanding mandatory minimum cyber security requirements in critical areas.
He said it was a fresh acknowledgment of the federal government’s role and a complete abandonment of the original 2003 strategy, which stated that federal regulation would not be the primary means of securing cyberspace.
“It may have taken 20 years, but the federal government is now saying the quiet part loudly. Lack of mandatory cyber security minimums has failed, and regulatory mandates are coming, so get your house in order, Noonan told TechNewsWorld.
The strategy also makes clear that where the government does not have the authority to mandate minimum standards, the administration will work with Congress to close those gaps and control irregularities.
Noonan predicted that a big change is coming in our ability to detect and defend against cyber threats. But that’s only when agencies like the DOD, the SEC, the FCC, and the rest of the federal government fully exercise their regulatory powers to establish and enforce mandatory cyber security minimums across their respective contractors and suppliers.
“The single most impactful thing the federal government can do is to protect our nation’s cyber defense, and this strategy does it,” he said.
positive support from the European Union
Martin Riley, director of managed security services at cyber firm Bridewell, is pleased to see a change in the United States’ attitude regarding cyber security.
“It’s great to see these moves taking effect. We find ourselves in a leadership position in many areas in Europe with regulations like NIS and GDPR,” Riley told TechNewsWorld.
He added that the European Union is in a great position to assist its US partners and lead them in the pursuit of cyber resilience. “I look forward to digging into the details to see the incentives being implemented by the US government to ensure these practices are taken up equally across all states and relevant territories.”
updated technology vital employment
The report emphasizes the modernization of federal security. Darktrace CEO Marcus Fowler advised that a critical part of this should be accelerating the government’s ability to onboard modern and next-generation security technologies.
“Government agencies need to be able to efficiently test technologies in dynamic environments that, in both scale and complexity, would be expected to protect the environment,” Fowler told TechNewsworld.
He offered that US officials would also benefit from moving validated security solutions to the front of the line and accelerating mandatory audit timelines. Ultimately, as the federal government gains access to advanced security solutions more quickly, it may force attackers to adapt faster to try and keep pace.
“It is positive to see that the new strategy emphasizes the importance of mandating ‘security by design’ as well as focusing on robust technologies and building a better cyber workforce,” said Fowler.
technology key element
Technology will also be critical in improving the speed and scale of threat information sharing, the report calls for. Threat intelligence is important, but the threat landscape is vast and growing.
“Organizations need technology that cuts through the intelligence and identifies how a particular vulnerability affects their unique environment. They need that information fast,” recommended Fowler.
Distilling that information and turning it into a strategy based on bespoke organizational risk is a job for technology. He said that we cannot burden humans any longer as they need to be freed for strategy and treatment.
The future is one where a hybrid human-AI approach to cyber is essential. Fowler said the goal is to end up with a stronger, more resilient and better-enabled cyber workforce.
“This must be executed with innovative and accessible programs that are growing and investing in the next generation of security practitioners and upskilling them to further enhance workload efficiency and accelerate response times,” he said. Said.
Ongoing training, preparation needed
The administration’s new cyber security efforts, unfortunately, don’t move the needle on what needs to be done to strengthen the security workforce we have today, said Live-Fire OT/ICS founder and CEO of cloud range cyber attack simulation training company Debbie Gordon warned. ,
“In any type of life safety sector — and that’s exactly what cyber security of critical infrastructure represents — the need for ongoing training and readiness is integral,” Gordon told TechNewsWorld.
As the cyber threat landscape changes daily, critical infrastructure sectors are the targets of the most advanced, nation-state backed Advanced Persistent Threats (APTs). He advised that we cannot rely on annual training certifications to assure that our infrastructure is safe.
“Ongoing training requirements that can be measured against industry standard frameworks to validate their effectiveness can not only help organizations ensure they have the right skills to prevent and respond to attacks, are the right people. They can provide cybersecurity professionals with a clear path to expand their careers with cyber skills unique to operational technology (OT) cybersecurity,” said Gordon.