New WH Cyber Policy Met With Praise, Cautionary Concerns
The White House on Thursday released its long-expected National Cybersecurity Strategy. The new federal policy assigns much of the digital security responsibility to tech firms rather than more federal regulations.
The policy document urges more mandates on the firms that control most of the nation’s digital infrastructure. It also preaches an expanded government role to disrupt hackers and state-sponsored entities.
But this strategy creates a cybersecurity roadmap for new laws and regulations over the next few years aimed at helping the U. S. prepare for and fight against emerging cyber threats. It sets the pace for government actions in the long term that will:
- Explore a national insurance backstop in the case of a catastrophic cyberattack to supplement the existing cyber insurance market;
- Focus on defending critical infrastructure by expanding minimum security requirements in specific sectors and streamlining regulations;
- Treat ransomware as a national security threat, not just a criminal issue.
That sets in motion a fundamental directional shift in the government’s cybersecurity vision. The change in focus reflects how the United States allocates roles, responsibilities, and resources in cyberspace.
It also rebalances the responsibility to defend cyberspace by shifting the burden for cybersecurity away from individuals, small businesses, and local governments. Instead, the onus is on the most capable and best-positioned organizations to reduce risks for all of us, according to the policy declarations.
“The Strategy recognizes that government must use all tools of national power in a coordinated manner to protect our national security, public safety, and economic prosperity,” the White House said in its announcement.
The New Approach
The Biden-Harris strategy seeks to build and enhance collaboration around five pillars:
- Defend Critical Infrastructure;
- Disrupt and Dismantle Threat Actors;
- Shape Market Forces to Drive Security and Resilience;
- Invest in a Resilient Future through strategic investments and coordinated, collaborative action to lead the world in the innovation of secure and resilient next-generation technologies and infrastructure;
- Forge International Partnerships to Pursue Shared Goals
With those standards in place, the newly harnessed global allies and partners will make the United States’ digital ecosystem defensible, resilient, and values-aligned, according to the policy statement.
Federal Cybersecurity Requirements, Enforcement
The federal government is visibly and meaningfully committing to expanding mandatory minimum cybersecurity requirements across critical sectors, offered CyberSheath CEO Eric Noonan.
He added that this is a refreshing acknowledgment of the federal government’s role and a complete abandonment of the original 2003 strategy, which stated that federal regulation would not be a primary means of securing cyberspace.
“It might have taken 20 years, but the federal government is now saying the quiet part out loud. The lack of mandatory cybersecurity minimums has failed, and regulatory mandates are coming, so get your house in order,” Noonan told TechNewsWorld.
The strategy also makes it clear that where the government does not have the authority to mandate minimum standards, the administration will work with Congress to close those gaps and regulate the unregulated, he observed.
Noonan predicted that a sea change is coming in our ability to detect and defend against cyber threats. But that only happens if agencies like the DOD, SEC, FCC, and the rest of the federal government use the full weight of their regulatory powers to establish and enforce mandatory cybersecurity minimums across their respective contractors and suppliers.
“That is the single most impactful thing the federal government can do for our nation’s cyber defense, and this strategy does it,” he said.
Positive Backing From the EU
Martin Riley, director of managed security services at cyber firm Bridewel, is pleased to see the United States’ change of attitude regarding cybersecurity.
“It is great to see these steps coming into effect. We in Europe have found ourselves in a place of leadership across many of these areas with regulations such as NIS and GDPR driving the agenda for years,” Riley told TechNewsWorld.
That puts the European Union in a great position to assist its U.S. allies and lead them forward in the goal of cyber resilience, he added. “I look forward to digging into the details to see the incentives the U.S. government is going to apply so that these practices are taken up equally across all states and relevant sectors.”
Employing Updated Technology Crucial
The report emphasizes modernizing federal security. A crucial part of this must be accelerating the government’s ability to onboard modern and next-generation security technologies, advised Marcus Fowler, CEO of Darktrace.
“Government agencies must be able to efficiently test technologies in dynamic environments that mirror, in both scale and complexity, the environment they will be expected to defend,” Fowler told TechNewsWorld.
He offered that U.S. officials would also benefit from moving validated security solutions to the front of the line and accelerating mandatory audit timelines. Ultimately, when the federal government gains access to advanced security solutions more quickly, it can force attackers to adapt rapidly to try and keep pace.
“It is positive to see the new strategy emphasizes the importance of mandating ‘security by design’ as well as the focus on robust technologies and creating a better cyber workforce,” Fowler said.
Technology Critical Element
Technology will also be critical for improving the speed and scale of threat intelligence sharing for which the report calls. Threat intelligence is vital, but the threat landscape is vast and growing.
“Organizations need technology that cuts through the intelligence and identifies how a particular vulnerability impacts their unique environment. They need that information fast,” Fowler recommended.
Distilling that information and translating it into a strategy based on bespoke organizational risk is a job for technology. We cannot put the onus on humans any longer because they need to be freed up for strategy and remediation, he said.
The future is where a hybrid human-AI approach to cyber is essential. The pursuit is to meet a stronger, more robust, and better-enabled cyber workforce, noted Fowler.
“That must be executed with innovative and accessible programs that are both growing and investing in the next generation of security practitioners and augmenting them to get further faster and increase workload efficiency and accelerate response times,” he said.
Ongoing Training, Readiness Needed
The administration’s new cybersecurity efforts, unfortunately, do not move the needle on what needs to be done to strengthen the security workforce we have today, cautioned Debbie Gordon, founder and CEO of Cloud Range, a live-fire OT/ICS cyberattack simulation training company.
“In any type of life safety field — and that is exactly what cybersecurity of critical infrastructure represents — the need for ongoing training and readiness is integral,” Gordon told TechNewsWorld.
The cyber threat landscape changes daily, with critical infrastructure sectors being the targets of the most advanced, nation-state-backed advanced persistent threats (APTs). We cannot depend on a yearly training certificate to be confident that our infrastructure is protected, she advised.
“Requirements for ongoing training that can be measured against industry standard frameworks to validate their effectiveness can not only help organizations ensure they have the right people with the right skills to prevent and respond to attacks in place. They can also provide cybersecurity professionals with a clear pathway to expand their careers with the cyber skills unique to operational technology (OT) cybersecurity,” Gordon said.