2023 National Cybersecurity Strategy Review 

The 2023 National Cybersecurity Strategy targets critical infrastructure owners. Learn about the Strategy’s key points and implications

The White House released the new National Cybersecurity Strategy (the Strategy) on March 2, 2023. The Strategy set out an ambitious goal: “a defensible, resilient digital ecosystem where it is costlier to attack systems than defend them, where sensitive or private information is secure and protected, and where neither incidents nor errors cascade into catastrophic, systemic consequences.”

In general, the document mainly targets critical infrastructure owners, vendors, and software developers, providing them with guidelines regarding how companies in the US allocate roles, responsibilities, and resources in cyberspace. In short, the 2023 National Cybersecurity Strategy: 

  •  outlines the main threats to national cybersecurity in a highly interconnected environment; 
  • moves away from the voluntary adoption of cybersecurity risk management as it calls for stronger regulation to protect “critical infrastructure.”
  • shifts the burden of cybersecurity from individuals, small businesses, and local government to large critical infrastructure owners, vendors, and software developers. 
  • seeks to enable “real-time, actionable, and multi-directional” information exchange between the public and private sectors.

Continue reading to learn more about the new Cybersecurity Strategy and its implications for the national cybersecurity environment. 

The Strategy is a Part of the Federal Cybersecurity Legislation Puzzle 

The 2023 Strategy was released as a response to emerging cybersecurity threats and influential cybersecurity events, including the attacks on SolarWinds, Microsoft Exchange, and Colonial Pipeline. We’ve discussed these incidents in detail in our previous blog posts, Ransomware Hits Critical Infrastructure: a Case of Colonial and Cyber Threats to National Security

Several documents were issued to boost national cybersecurity in response to these and other attacks targeting critical infrastructure during 2021 – 2022. The release of the Strategy was preceded by executive orders, strategies for meeting cybersecurity standards, and other law enforcement efforts to improve the nation’s cybersecurity, namely: 

  • President Biden’s 2021 Executive Order on Improving the Nation’s Cybersecurity – strengthens the nation’s cybersecurity defenses by mandating all federal agencies use basic cybersecurity measures (such as multifactor authentication (MFA) and requiring new security standards for software developers that contract with the federal government); 
  • President Biden’s 2021 national security memorandum – directs his administration to develop cybersecurity performance goals for U.S. critical infrastructure.
  • M-22-09 Federal Zero Trust Strategysets a new baseline for access controls and prioritizes defense against sophisticated phishing and directs agencies to consolidate identity systems so that protections and monitoring can be consistently applied.
  • The 2022 Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) – expands the reporting obligations of covered entities. Organizations operating in the 16 critical infrastructure sectors are mandated to report significant cyber incidents to CISA. 

Given the rapidly-developing national cybersecurity legislation basis, the Strategy is a frame of that large puzzle. It outlined the developmental vector of federal cybersecurity legislation. 

The Main Threats to National Cybersecurity

The Strategy outlines the main threats to national cybersecurity in a highly interconnected virtual environment. It admits that global interconnectivity enables scaleable business security solutions and information exchanges yet introduces heightened cybersecurity risks. A single attack on an organization or a sector can rapidly spill over to other industries, states, and regions. For instance, Russia’s 2017 “NotPetya” cyber attack on Ukraine spread across Europe, Asia, and the Americas, causing billions of dollars in damages. And the potential harm of such or a similar attack will increase exponentially due to the interdependencies. 

The document classifies ransomware attacks as a “threat to national security, public safety, and economic prosperity.”It also adds that autocratic states like Russia, Iran, and North Korea are those who elevate ransomware attacks. The governments of these states often misuse advanced cyber capabilities to pursue criminal objectives, disregarding the rule of law and threatening U.S. national security. For instance, North Korea uses cyberattack earnings to advance its nuclear and missile arsenal, the UN reports. Russia is linked to an offensive on the Colonial Pipeline. China uses their cyber weapons to target civilian and critical infrastructure, airports, railways, banks, hospitals, schools, etc. It means that sophisticated cyberattacks may be considered a weapon of mass destruction or, at least, disruption. More on how autocratic regimes threaten the U.S. national cybersecurity read in our article Cyber Threats to National Security. 

The Key Points to Understand the Strategy 

As we noted above, the new Cybersecurity Strategy targets critical infrastructure owners. Here are the key points to understand the essence of the Strategy.

Five Pillars of the National Cybersecurity Strategy 

The Strategy aims to tackle some of the U.S. most challenging and complex issues in cybersecurity, software liability, and regulatory programs by public-private communication. To achieve this aim, the Strategy focuses on the following five pillars:

  • defending critical infrastructure; 
  • disrupting and dismantling threat groups; 
  • shaping market forces to drive security and resilience; 
  • investing in a resilient future, and 
  • forging international partnerships to pursue shared goals. 

Shifting the Cybersecurity Burden to Software Developers

The first, and probably one of the most critical things in the 2023 National Cybersecurity Strategy, is that it shifts the cybersecurity burden from individuals, small businesses, and local governments to the entities with the greatest expertise and resources. These include sizeable critical infrastructure owners, vendors, and software developers. 

Large entities are accepting this change with caution. They may argue the new framework will require raising stakes – in budgets, human resources, and requirements. This, in turn, may increase the cost of products and services that would be passed down to consumers. However, economically speaking, making the infrastructure owners and software developers more responsible is fair. Governments of developed countries regulate most of the critical industries. One cannot just manufacture what one wants without following prescribed safety, quality, and reliability standards. Software and cloud solutions shall not be an exception.

Cybersecurity Regulation Instead of Voluntary Adoption

The Strategy moves away from the long-standing approach of voluntary adoption of cybersecurity risk management that has produced “inadequate and inconsistent outcomes”  to promoting strict cybersecurity regulatory standards. The Strategy takes a new dual approach to boost cybersecurity. First, it calls for entities that fail to implement basic security safeguards to bear the liability while protecting those that “securely develop and maintain their software products and services.” Second, it requires assessing whether current Sector Risk Management Agencies have the resources and capabilities to oversee cybersecurity efforts adequately. 

Reliance on Intensive and Open Collaboration 

The Strategy also aims to improve how critical infrastructure companies have coordinated with the federal government. The Strategy seeks to enable information exchange between the public and private sectors through technology solutions. It also strives to improve private sector access to federal government resources in response to cybersecurity incidents and expand access to classified information. Such a collaboration and information exchange should ensure a properly balanced regulation that would consider the legitimate interests of all concerned parties.

In addition, the Strategy also calls for a focus on international partnerships. Working with like-minded nations would definitely help fight threats and create secure global supply chains for communications technology.

In Summary

The 2023 National Cybersecurity Strategy is a slightly extreme yet necessary solution to enhance national cybersecurity. This solution, however, will take effort to enforce. For example, the first attempt at extending regulatory frameworks in the wake of the 2021 Colonial Pipeline attack failed because the frameworks were reactive, created without consulting regulated companies, and overly prescriptive. At the same time, the specific requirements for critical infrastructure owners and software developers will be paramount for the eventual success of the proposed legislation. Therefore, to succeed in the Strategy implementation, close public-private collaboration is necessary.  

Keep reading our blog to stay updated on recent cybersecurity and compliance-related topics. Feel free to contact the Planet 9 team for help with your security and compliance challenges. We’ll be happy to assist!

Website: https://planet9security.com

Email:  info@planet9security.com

Phone:  888-437-3646

Leave a Reply