The nation needs to “make fundamental shifts” in how it allocates roles, responsibilities and resources in cyberspace, according to a White House statement on the new National Cybersecurity Strategy.
The Biden administration released its stance on cybersecurity in recent weeks with an emphasis on those who own or operate important technologies and infrastructures to take more responsibility for defending against cyberattacks.
The strategy emphasizes restructuring incentives to favor long-term investments in cybersecurity while aligning actions with values that uphold democracy, equity, diversity and more.
Daniel Ragsdale, vice president of Defense Department strategy for Two Six Technologies, described the framework as a “forward-thinking document that is a clear departure from earlier cybersecurity strategies.”
The strategy was developed by a collaboration of government, industry and academic stakeholders with the goals of securing economic security and prosperity, protecting human rights and freedoms and maintaining trust in democratic institutions.
“Earlier strategies, dating back to 2003, relied heavily on voluntary measures and cooperation but did not provide adequate incentives or inducements to encourage collaboration or mandate compliance,” Ragsdale said. “Additionally, earlier strategy documents did not place the appropriate responsibility for securing sensitive data and critical systems on the prominent organizations in the public and private sectors that are best equipped and resourced to protect those systems and data.”
As a result, Ragsdale said an undue burden of responsibility is placed on individual citizens and small groups, which often lack the necessary resources, knowledge or expertise to protect the data and systems they depend on.
The strategy comes in response to the collision of rapidly evolving technologies and the rise of state and non-state threats. It’s designed to protect infrastructure investments, develop clean energy efforts and re-shore America’s technology and manufacturing base.
In addition to shifting more responsibility onto federal agencies and large corporations, the strategy also proposes implementing “novel regulatory, grantmaking and budgetary measures” that provide incentives for prioritizing resilience, security and trustworthiness, Ragsdale said. Furthermore, it emphasizes the importance of ongoing development and implementation of a Cyber Workforce and Education Strategy, which will be released this summer.
The strategy comes on the heels of other recent executive orders that aim to improve cybersecurity, address critical infrastructure control systems, move government toward zero trust principles and promote leadership in quantum computing while mitigating risks to cryptographic systems.
Collaboration ⏤ through public-private partnerships, intergovernmental efforts and more ⏤ is at the heart of the strategy. It includes five pillars:
- Defend critical infrastructure by enforcing minimum security requirements, removing roadblocks to public-private partnerships necessary for defending essential services and infrastructure, modernizing federal networks and updating incident response policies.
- Disrupting and dismantling threat actors by leveraging private sector solutions and resources, addressing ransomware threats in lockstep with international partners, and strategically employing “all tools of national power” to thwart adversaries.
- Shape market forces to drive security and resilience by promoting privacy and security of personal data, shifting liability for software products and services to promote secure development practices and tailoring federal grant programs to elevate investments in more secure and resilient infrastructure.
- Invest in a resilient future by reducing systemic technical vulnerabilities in the foundation of the internet, prioritizing research and development for next-generation technologies ⏤ including post-quantum encryption, digital identity solutions and clean energy infrastructure ⏤ and developing a robust and diverse national cyber workforce.
- Forge international partnerships to pursue shared goals, holding governments accountable for their behavior in cyberspace, investing in joint preparedness with like-minded nations, increasing the capacity of partners to defend themselves against cyber threats, and working with allies to make trustworthy global supply chains for communications and operational technology and services.
“Now that the overall strategy has hit the streets, the hard work begins,” Ragsdale said. “The challenge for all stakeholders will be to develop fully coordinated and impactful implementation plans.”