What is the New National Cybersecurity Strategy?
Throughout history, warfare has evolved. The Romans did it one way, the Vikings did it another—Sun Tzu, Richard the Lionheart, and the Allied forces all had different tactics that forced opponents to adjust their defenses and strategies.
Now in the modern technological age, the battlefield has largely gone digital, which—again—has meant the development of different attacks and protections against these attacks. But this latest new battle frontier is trickier—constantly advancing technology means organizations and entire countries are having to also constantly strengthen their cybersecurity.
In the United States, the Biden Administration has made several moves to protect the country against bad actors and threats that become more sophisticated every day. As a cybersecurity assessment firm that provides services assisting those working in both the public and private sectors, we’ve kept abreast of these developments.
Things have now changed again, as the White House announced in March 2023 that cybersecurity will be further prioritized as a key issue in the wake of several high-profile cyberattacks on U.S. organizations and infrastructure. To help you make sense of the latest, in this article, we’re going to break down this new National Cybersecurity Strategy.
With this move, President Biden has emphasized the need for a comprehensive approach to cybersecurity that involves both the public and private sectors—read on to understand more of what this will entail.
Previous Biden Administration Cybersecurity Initiatives
Before we jump into the latest, let’s look back at some of the previous key initiatives and policies related to cybersecurity under the Biden administration:
- Executive Order on Improving the Nation's Cybersecurity: Outlined a series of cybersecurity initiatives for federal agencies and contractors, including measures to enhance security for federal networks, improve information-sharing between government agencies and the private sector, and establish a cybersecurity safety review board.
- Creation of a Cybersecurity Directorate: Established a Cybersecurity and Infrastructure Security Agency (CISA) under the Department of Homeland Security that will focus on protecting critical infrastructure from cyberattacks.
- Increased Funding for Cybersecurity: Proposed significant increases in funding for cybersecurity initiatives, including $10 billion for CISA and $750 million for the Department of Defense's Cybersecurity Maturity Model Certification.
- Strengthening International Cooperation: Emphasized the need for international cooperation on cybersecurity issues, including working with allies to combat ransomware attacks and holding nations accountable for cyberattacks originating from their territory.
Breaking Down the National Cybersecurity Strategy
Now, the White House has introduced National Cybersecurity Strategy to “allocat[e] roles, responsibilities, and resources in cyberspace” to further adapt to the more complex and dynamic threat landscape.
At the moment, there’s concern over state and non-state actors that are developing new techniques to exploit vulnerabilities and disrupt critical systems. In addition, emerging technologies such as artificial intelligence, the Internet of Things (IoT), and cloud computing are creating new attack surfaces and more devastating cyber threats.
To address these challenges, a more intentional, coordinated, and well-resourced approach to cyber defense is necessary—hence, the administration’s new strategy. “To secure the full benefits of a safe and secure digital ecosystem” through this strategy, the plan is to:
- Assign responsibility for maintaining a secure cyberspace: Such responsibility will be redistributed from end users, small organizations, and local governments to those organizations that are “most capable” and “best positioned.”
- Incentivize cybersecurity investments: These incentives will encourage long-term investment in cybersecurity and improve the resilience and security of critical infrastructure, businesses, and individuals.
Such improvements include the implementation of advanced security controls, such as multi-factor authentication, encryption, and intrusion detection and prevention systems to prevent and detect cyber-attacks—maybe once these were considered “nice to have,” but they’ve since become essential defense mechanisms. More mature security programs are also considering and leveraging emerging technologies such as machine learning and blockchain to improve threat intelligence and response capabilities.
But it no longer suffices to just integrate new tech—a culture of cybersecurity must be fostered organizationally:
- Assign clear roles and responsibilities assigned to individuals and teams.
- Provide regular training and awareness programs to employees.
- Consider partnerships with other organizations, such as government agencies and industry groups, that can also enhance cybersecurity through information sharing, incident response, and collaborative defense initiatives.
The Five Pillars of the National Cybersecurity Strategy
That’s the new national cybersecurity strategy at a high level, as the specifics are divided into five pillars that focus on how to incorporate and expand upon existing initiatives, while also introducing new efforts to advance the United States towards a more secure future:
1. Defend Critical Infrastructure
This pillar is first for a reason—the White House has stated that building confidence in the availability and resilience of infrastructure is a crucial part of their strategy. This will be done by:
- Expanding the use of minimum cybersecurity requirements in critical sectors to ensure national security and public safety while also harmonizing regulations to reduce the burden of compliance;
- Enabling public-private collaboration at the speed and scale necessary to defend critical infrastructure and essential services; and
- Defending and modernizing federal networks and updating federal incident response policy.
2. Disrupt and Dismantle Threat Actors
Next, the strategy seeks to disable malicious actors, rendering them incapable through:
- The strategic employment of national power to disrupt adversaries;
- Engagement with the private sector in disruption activities through scalable mechanisms; and
- Use of a comprehensive federal approach to the ransomware threat while remaining in lockstep with our international partners.
3. Shape Market Forces to Drive Security and Resilience
As mentioned before, the strategy will “place responsibility on those within our digital ecosystem that are best positioned to reduce risk”—this will be done by:
- Promoting privacy and the security of personal data;
- Shifting liability for software products and services to promote secure development practices; and
- Ensuring that federal grant programs promote investments in new infrastructure that are secure and resilient.
4. Invest in a Resilient Future
But it won’t all be put on individual organizations—the government is putting its money where its mouth is and will use the following approaches to invest in the latest innovative technology for the safe harboring of information:
- Reduce systemic technical vulnerabilities in the foundation of the Internet and across the digital ecosystem while making it more resilient against transnational digital repression;
- Prioritize cybersecurity R&D for next-generation technologies such as postquantum encryption, digital identity solutions, and clean energy infrastructure; and
- Develop a diverse and robust national cyber workforce
5. Forge International Partnerships to Pursue Shared Goals
This pillar doesn’t just entail collaborating in international cyberspace to learn and adapt to trends in security threats—the details make it also sound like the White House will be wielding an enforcing hand to deal with “irresponsible behavior [in cyberspace that] is isolating and costly.”
These details include:
- Leveraging international coalitions and partnerships among like-minded nations to counter threats to our digital ecosystem through joint preparedness, response, and cost imposition;
- Increasing the capacity of our partners to defend themselves against cyber threats, both in peacetime and in crisis; and
- Working with our allies and partners to make secure, reliable, and trustworthy global supply chains for information and communications technology as well as operational technology products and services.
How to Prepare for the National Cybersecurity Strategy
As you may be considering your cybersecurity posture in light of the National Cybersecurity Strategy, there are several steps you can take to prepare in varying short terms:
Over the next 30 days:
Assess your current cybersecurity measures and identify any vulnerabilities—this could involve performing an internal risk assessment or working with a third-party provider (like Schellman) to conduct an external assessment.
Over the next 60 days:
Take action to address any vulnerabilities identified in that initial assessment, including:
Over the next 90 days:
Establish ongoing monitoring and maintenance processes to ensure that your cybersecurity posture remains strong and up-to-date over time.
This could include regular vulnerability scans, penetration testing, or other forms of ongoing assessments to identify and address potential security risks.
Throughout this process, you should also ask the right questions of their assessment provider to ensure you’re getting the most comprehensive and effective assessment possible—check out these resources to help you get the most out of your investment:
- 3 Questions to Ask Your Single-Provider Cybersecurity Firm
- Return on Investment in Audit and Compliance
- Low-Cost Audit Firms: 5 Things to Consider
Next Steps Regarding the National Cybersecurity Strategy
Just as other generals in history had to adjust their tactics for success on the battle landscapes of their time, so too do modern leaders have to account for the threat landscape in cyberspace—this new national cybersecurity strategy is the latest step for the American federal government. Now that the strategy has been released, the Biden administration anticipates it will publicly release the implementation plan for the strategy in "the coming months."
But that doesn’t mean you can’t get started on your preparation now. Though we’ve just laid out the details of the country’s new approach, along with some incremental steps to get you started, you may already feel like you’d like the opinion of a third-party assessor in helping you elevate your cybersecurity.
Schellman specializes in assessing cloud systems and traditional, on-premise, or collocated federal environments. Our methodology is based on decades of experience in performing assessments, and we offer assessments against various federal frameworks and programs—depending on your needs, we might be the right firm for you.
If you’re interested in learning more about our integrated approach to projects—a practice that enables organizations to achieve multiple compliance initiatives through Schellman as their single provider, resulting in significant cost savings—please contact us so that we can better understand your environment, industry, and how we can help.
About COLLIN VARNER
Collin is a Senior Manager with Schellman Compliance, LLC based in Denver, Colorado. Collin is focused primarily on specializing in IT attestation, audit, and compliance activities as they relate to numerous standards including SOC, HIPAA, CMMC, and a suite of ISO standards. Prior to joining Schellman, Collin held roles tasked with planning, organizing, and managing multiple facets of information technology and security reviews including cybersecurity assessments, risk management, internal and external audit, system implementations, and customized attestation reporting.