The release of the new US National Cybersecurity Strategy is another significant step in the development of government policy following President Biden’s Executive Order nearly two years ago.
At its core, the strategy is based on the need for “two fundamental shifts”. The first is to rebalance the responsibility to defend cyberspace and, second, to realign incentives to favor long-term investments. Speaking to CNN, Homeland Security Secretary Alejandro Mayorkas underlined these priorities, saying, “We have to drive the entire ecosystem to be more cyber vigilant.”
This signals a significant change in how the government expects organizations across the economy to address cybersecurity risks. As the strategy announcement sets out, “when entities across the public and private sectors face trade-offs between temporary fixes and long-term solutions, they must have the resources, capabilities, and incentives to choose the latter.”
Shifting the burden
As explained by Bleeping Computer, the strategy also puts the focus on “shifting the burden of defending the country’s cyberspace towards software vendors and service providers.” Quoting Acting National Cyber Director Kemba Walden, CNBC reported: “the biggest, most capable and best-positioned actors in our digital ecosystem can and should shoulder a greater share of the burden for managing cyber risk and keeping us all safe.”
The strategy goes on to explain that “companies that make software. . . must be liable when they fail to live up to the duty of care they owe consumers, businesses or critical infrastructure providers.” It also emphasizes the importance of areas such as defending critical infrastructure, disrupting and dismantling threat actors and forging international partnerships to pursue shared goals.
To increase the scale of public-private partnership, the Federal Government will also deepen operational and strategic collaboration with software, hardware and managed service providers. The objective is to “reshape the cyber landscape in favor of greater security and resilience.”
Driven by the rising cost of cybersecurity incidents and major breaches such as the SolarWinds hack and the Colonial Pipeline ransomware attack, momentum behind greater government involvement has been growing. In August 2021, for example, U.S. lawmakers introduced a bipartisan bill to require some businesses to report cyber incidents to the government so that it could “mobilize to protect critical industries across the country.”
And last year, President Biden signed a new reporting mandate into law, requiring critical infrastructure operators to report cyber attacks within 72 hours and ransomware payments within a day of them taking place.
Looking ahead, the new cybersecurity strategy marks an important step in realigning how organizations in the US and beyond approach cybersecurity. In the months ahead, it will be interesting to see to what extent other countries and authorities seek to strengthen their approach to a problem that continues to grow at an alarming rate.