On March 2, the Biden-Harris Administration released their highly anticipated National Cybersecurity Strategy, a policy response to the rising tide of cyber threats to the public and private sector. This new strategy seeks to set minimum standards for the protection of critical infrastructure, but it’s also a fundamental shift in how the government has previously handled cybersecurity.
Thus far, the government’s focus has generally been on non-binding frameworks, encouraging collaboration and information sharing. This new strategy focuses more on leveraging the government’s regulatory power and would shift the responsibility for cyber resilience from consumers and small- and medium-sized businesses to multimillion dollar tech giants that often produce software and hardware with significant flaws.
“The president’s strategy fundamentally reimagines America’s cyber social contract,” said Acting National Cyber Director Kemba Walden during a press briefing shortly before the release of the guidelines. “It will rebalance the responsibility for managing cyber risk onto those who are most able to bear it.”
The new White House strategy proposes legislation that creates liability for software manufacturers who fail to take reasonable steps to secure their products. According to the statement on the new effort, the goal is to shift the burden for cybersecurity away from individuals, small businesses and local governments, and onto the organizations that are most capable and best-positioned to reduce collective risks.
“The publication of the Biden administration’s National Cybersecurity Strategy acknowledges the critical and growing importance of digital services across critical infrastructure and pervasive in both government and the private sector,” said Robert Booker, chief strategy officer for the cybersecurity risk and compliance framework alliance HITRUST. “The use of market forces to support and sustain a safe and secure ecosystem is critical to accelerate innovation and consumer engagement in key areas including health care, commerce and financial services. All industries including critical infrastructure exist in a complex threat environment which is dynamic and where security requires collaboration and innovation jointly across and between the government and the private sector.”
Rising cyber threat and national defense
One of the reasons this new cyber strategy is necessary is because the previous, voluntary approach to collective defense has not been effective. Urging companies to share information and “do the right thing” has failed to create significant movement in raising our baseline defense for critical industries. The Biden administration strategy looks to use the tools of national power in a coordinated manner to protect national security, public safety and economic prosperity.
Under Biden, the manufacturing sector and critical infrastructure have faced repeated pressure from sophisticated hackers, often backed by nation-state actors like China, Russia and North Korea. From the administration’s earliest days in the White House, they have been forced to deal with a near-constant stream of cyberattacks: software supply chain attacks like SolarWinds, strikes on oil and gas like Colonial Pipeline and destructive ransomware attacks like the one on global meat supplier JBS. These and others breaches have strengthened the call for more regulation of critical industries.
“The sophistication of state and non-state actors and criminal activity that leverages the technology that Americans rely upon every day is a persistent problem and one that cybersecurity and business leaders across American industry take seriously,” Booker said. “The National Cybersecurity Strategy is an ambitious undertaking focused on cyber defense, resiliency and defensibility, among other outcomes. As the federal government moves toward mandates for critical infrastructure cybersecurity, we encourage approaches that incentivize American companies to leverage and integrate mature security capabilities from the private sector and that use transparent and continually updated measurement and assurance systems to assess and sustain security capabilities in the face of constantly changing threats.”
The Biden Administration has already taken steps to secure the digital ecosystem, including the National Security Strategy, Executive Order 14028 (Improving the Nation’s Cybersecurity), National Security Memorandum 5 (Improving Cybersecurity for Critical Infrastructure Control Systems), M-22-09 (Moving the U.S. Government Toward Zero-Trust Cybersecurity Principles) and National Security Memorandum 10 (Promoting United States Leadership in Quantum Computing While Mitigating Risks to Vulnerable Cryptographic Systems).
“Adversaries in cyberspace are evolving at an alarming rate and are always looking for new markets to attack,” said Moty Kanias, vice president of cyber strategy and alliances for industrial device cybersecurity company NanoLock. “In fact, manufacturing has become the No. 1 target in the past year, according to reports from leading companies. Protecting critical infrastructure and production lines at the industrial device level is an essential next step beyond today’s requirements for common detection, monitoring and segmentation solutions to address a problem that is becoming increasingly more complex.”
National Cybersecurity Strategy pillars
Dragos’ recent Year in Review report highlighted the growing threat to industrial control systems (ICS) and operational technology (OT). They found that ransomware attacks against industrial organizations increased by 87% over the previous year and that there were 35% more ransomware groups impacting ICS/OT in 2022. In fact, 72% of all ransomware attacks targeted 437 manufacturing entities in 104 unique manufacturing sectors.
The new government effort attempts to make the digital ecosystem more defensible, where that defense is easier, cheaper and more effective; and more resilient, where cyber incidents and errors have little widespread or lasting impact. This strategy centers around five key pillars:
- Defend critical infrastructure – Expanding the use of minimum cybersecurity requirements in critical sectors to ensure national security and public safety and harmonizing regulations to reduce the burden of compliance; enabling public-private collaboration at the speed and scale necessary to defend critical infrastructure and essential services; and defending and modernizing federal networks and updating federal incident response policy.
- Disrupt and dismantle threat actors – Strategically employing all tools of national power to disrupt adversaries; engaging the private sector in disruption activities through scalable mechanisms; and addressing the ransomware threat through a comprehensive federal approach and in lockstep with our international partners.
- Shape market forces to drive security and resilience – Promoting privacy and the security of personal data; shifting liability for software products and services to promote secure development practices; and ensuring that federal grant programs promote investments in new infrastructure that are secure and resilient.
- Invest in a resilient future – Reducing systemic technical vulnerabilities in the foundation of the internet and across the digital ecosystem while making it more resilient against transnational digital repression; prioritizing cybersecurity research and development for next-generation technologies such as postquantum encryption, digital identity solutions and clean energy infrastructure; and developing a diverse and robust national cyber workforce.
- Forge international partnerships to pursue shared goals – Leveraging international coalitions and partnerships among like-minded nations to counter threats to our digital ecosystem through joint preparedness, response and cost imposition; increasing the capacity of our partners to defend themselves against cyber threats, both in peacetime and in crisis; and working with our allies and partners to make secure, reliable and trustworthy global supply chains for information and communications technology and operational technology products and services.
“The newly released National Cybersecurity Strategy is a huge step in the right direction for the world in the fight against cybercrime and state-driven adversaries,” Kanias said. “We commend the work done by the agencies involved and hope that they will continue to prioritize the security of the nation’s critical infrastructure. It is crucial for allied countries to work together towards cyber supremacy, to fight cyber criminals and to create new cyber security solutions that will tilt the equation.”
Cybersecurity issues to address
While the National Cybersecurity Strategy is a step in the right direction, there are still major issues in the field that need to be addressed. The case for increased cybersecurity, even for critical infrastructure, can still be hard to make, especially since much of infrastructure is in the hands of private corporations. Implementing more regulations — both carrot and stick — can be helpful, but it also could put a strain on companies.
“The National Cyber Strategy’s nonvoluntary requirements for critical infrastructure to increase cybersecurity posture will be met with varying responses from CEOs and boards alike,” said Edgard Capdevielle, CEO of Nozomi Networks. “While the impetus for a better cyber posture to defend against potential nation-state adversaries is wise and necessary, the ability for these entities to identify the budget and personnel to manage these pieces is going to be difficult, as it is for most companies in this macroeconomic climate.”
Another major issue is that the potential cybersecurity workforce is not keeping pace with growing demand, creating a significant cyber talent gap. According to (ISC)2’s 2022 Cybersecurity Workforce Study, the industry is still facing a shortage of 3.4 million security professionals. While the new strategy talks about “developing a diverse and robust national cyber workforce,” there is still much work to be done to stem the rising tide of threat.
“While we applaud the administration’s goal to build out our national cyber workforce under Strategic Objective 4.6 and develop our nation’s next generation of cyber talent, it unfortunately doesn’t move the needle on what needs to be done to strengthen the workforce we have today,” said Debbie Gordon, founder and CEO for live-fire OT/ICS cyberattack simulation training company Cloud Range. “In any type of life safety field — and that is exactly what cybersecurity of critical infrastructure represents — the need for ongoing training and readiness is integral. The cyber threat landscape changes daily, with critical infrastructure sectors being the targets of the most advanced, nation-state backed APTs, so we can’t depend on a yearly training certificate to be confident that our infrastructure is being protected.
“Requirements for ongoing training that can be measured against industry standard frameworks to validate their effectiveness can not only help organizations ensure they have the right people with the right skills to prevent and respond to attacks in place, they can also provide cybersecurity professionals with a clear pathway to expand their careers with the cyber skills that are unique to OT cybersecurity.”
Kanias also suggested the U.S. follow in the footsteps of other countries that have taken steps to harden their critical infrastructure security.
“In July 2022, Singapore took the important step of deepening regulations for critical infrastructure and is now demanding that critical infrastructure prevent cyberattacks on field controllers, such as PLCs, RTUs, industrial computers and more,” he said. “Other countries, including the U.S., must follow this path to protect critical infrastructure from massive cyberattacks.”
Do you have experience and expertise with the topics mentioned in this article? You should consider contributing content to our CFE Media editorial team and getting the recognition you and your company deserve. Click here to start this process.
