The 2023 National Cybersecurity Strategy targets critical infrastructure owners. Learn about the Strategy’s key points and implications
The White House released the new National Cybersecurity Strategy (the Strategy) on March 2, 2023. The Strategy set out an ambitious goal: “a defensible, resilient digital ecosystem where it is costlier to attack systems than defend them, where sensitive or private information is secure and protected, and where neither incidents nor errors cascade into catastrophic, systemic consequences.”
In general, the document mainly targets critical infrastructure owners, vendors, and software developers, providing them with guidelines regarding how companies in the US allocate roles, responsibilities, and resources in cyberspace. In short, the 2023 National Cybersecurity Strategy:
Continue reading to learn more about the new Cybersecurity Strategy and its implications for the national cybersecurity environment.
The 2023 Strategy was released as a response to emerging cybersecurity threats and influential cybersecurity events, including the attacks on SolarWinds, Microsoft Exchange, and Colonial Pipeline. We’ve discussed these incidents in detail in our previous blog posts, Ransomware Hits Critical Infrastructure: a Case of Colonial and Cyber Threats to National Security.
Several documents were issued to boost national cybersecurity in response to these and other attacks targeting critical infrastructure during 2021 – 2022. The release of the Strategy was preceded by executive orders, strategies for meeting cybersecurity standards, and other law enforcement efforts to improve the nation’s cybersecurity, namely:
Given the rapidly-developing national cybersecurity legislation basis, the Strategy is a frame of that large puzzle. It outlined the developmental vector of federal cybersecurity legislation.
The Strategy outlines the main threats to national cybersecurity in a highly interconnected virtual environment. It admits that global interconnectivity enables scaleable business security solutions and information exchanges yet introduces heightened cybersecurity risks. A single attack on an organization or a sector can rapidly spill over to other industries, states, and regions. For instance, Russia’s 2017 “NotPetya” cyber attack on Ukraine spread across Europe, Asia, and the Americas, causing billions of dollars in damages. And the potential harm of such or a similar attack will increase exponentially due to the interdependencies.
The document classifies ransomware attacks as a “threat to national security, public safety, and economic prosperity.”It also adds that autocratic states like Russia, Iran, and North Korea are those who elevate ransomware attacks. The governments of these states often misuse advanced cyber capabilities to pursue criminal objectives, disregarding the rule of law and threatening U.S. national security. For instance, North Korea uses cyberattack earnings to advance its nuclear and missile arsenal, the UN reports. Russia is linked to an offensive on the Colonial Pipeline. China uses their cyber weapons to target civilian and critical infrastructure, airports, railways, banks, hospitals, schools, etc. It means that sophisticated cyberattacks may be considered a weapon of mass destruction or, at least, disruption. More on how autocratic regimes threaten the U.S. national cybersecurity read in our article Cyber Threats to National Security.
As we noted above, the new Cybersecurity Strategy targets critical infrastructure owners. Here are the key points to understand the essence of the Strategy.
The Strategy aims to tackle some of the U.S. most challenging and complex issues in cybersecurity, software liability, and regulatory programs by public-private communication. To achieve this aim, the Strategy focuses on the following five pillars:
The first, and probably one of the most critical things in the 2023 National Cybersecurity Strategy, is that it shifts the cybersecurity burden from individuals, small businesses, and local governments to the entities with the greatest expertise and resources. These include sizeable critical infrastructure owners, vendors, and software developers.
Large entities are accepting this change with caution. They may argue the new framework will require raising stakes – in budgets, human resources, and requirements. This, in turn, may increase the cost of products and services that would be passed down to consumers. However, economically speaking, making the infrastructure owners and software developers more responsible is fair. Governments of developed countries regulate most of the critical industries. One cannot just manufacture what one wants without following prescribed safety, quality, and reliability standards. Software and cloud solutions shall not be an exception.
The Strategy moves away from the long-standing approach of voluntary adoption of cybersecurity risk management that has produced “inadequate and inconsistent outcomes” to promoting strict cybersecurity regulatory standards. The Strategy takes a new dual approach to boost cybersecurity. First, it calls for entities that fail to implement basic security safeguards to bear the liability while protecting those that “securely develop and maintain their software products and services.” Second, it requires assessing whether current Sector Risk Management Agencies have the resources and capabilities to oversee cybersecurity efforts adequately.
The Strategy also aims to improve how critical infrastructure companies have coordinated with the federal government. The Strategy seeks to enable information exchange between the public and private sectors through technology solutions. It also strives to improve private sector access to federal government resources in response to cybersecurity incidents and expand access to classified information. Such a collaboration and information exchange should ensure a properly balanced regulation that would consider the legitimate interests of all concerned parties.
In addition, the Strategy also calls for a focus on international partnerships. Working with like-minded nations would definitely help fight threats and create secure global supply chains for communications technology.
The 2023 National Cybersecurity Strategy is a slightly extreme yet necessary solution to enhance national cybersecurity. This solution, however, will take effort to enforce. For example, the first attempt at extending regulatory frameworks in the wake of the 2021 Colonial Pipeline attack failed because the frameworks were reactive, created without consulting regulated companies, and overly prescriptive. At the same time, the specific requirements for critical infrastructure owners and software developers will be paramount for the eventual success of the proposed legislation. Therefore, to succeed in the Strategy implementation, close public-private collaboration is necessary.
Keep reading our blog to stay updated on recent cybersecurity and compliance-related topics. Feel free to contact the Planet 9 team for help with your security and compliance challenges. We’ll be happy to assist!