On March 2, 2023, the Biden administration announced the National Cybersecurity Strategy to create a secure cyberspace that boosts the growth of every business environment. The US government plans to achieve its goals by reflecting its values of economic security and prosperity, responsive and rights-respecting democracy, and a vibrant and diverse society.

Due to the revolutionary capability of the Internet, the way the world innovates, communicates, and shares information has reformed. With the newer premise comes a higher sense of equality, freedom of speech, and true democracy. However, all is not well with this new world. Threat actors, including private individuals, groups, and nation-states, have used these powers maliciously. 

Biden’s National Cybersecurity Strategy intends two paradigm shifts: rebalancing the responsibility to defend cyberspace and realigning incentives to favor long-term investments. This strategy shifts the responsibility of defending cyberspace to the biggest, most powerful, and best-placed players, including public and private sector organizations. Organizations are expected to invest their resources in long-term solutions rather than short-term ones. 

National Cybersecurity Strategy at a glance

The National Cybersecurity Strategy or the Strategy is built on five foundational pillars. Each pillar has multiple strategic objectives to defend cyberspace, disrupt cyber threats, invest in a resilient future, and forge robust partnerships to pursue shared goals. Let us look at the Strategy in some detail.

Pillar one: Defend critical infrastructure

The Strategy is designed to develop confidence among the American public regarding the availability and resilience of the essential services provided by the government. Defending the systems and assets connected to cyberspace is critical for national security, public safety, and economic stability.

The administration has established stringent regulations for certain sectors to protect critical infrastructure. In the others, new authorities will be required to set up regulations that can achieve better cybersecurity.

The administration is banking on the public-private partnership to make the systems cyber-resilient. The world saw one amazing partnership between the American public and private sectors during the ‘Shields Up’ campaign just before Russia attacked Ukraine in 2022. 

The Strategy aims to build a secure and resilient Federal infrastructure that can further become a model for critical infrastructure across the United States. The Strategy focuses on long-term efforts and investment in creating and implementing cybersecurity strategies, like zero-trust architecture modernization.

The following points show the strategies designed to implement the first pillar of the National Cybersecurity Strategy – defending critical infrastructure.

Strategic objective 1.1: Establish cybersecurity requirements to support national security and public safety

Although the voluntary requirements have produced discernible results in past years, they are not as effective as the mandatory provisions and regulations. New regulations are expected to bring cybersecurity and resilience while promoting healthy competition in the market.

The four main considerations for robust regulation are

• Customized for each sector considering their risk profiles
• Harmonized to reduce duplication
• Complimentary to both – public and private sector organizations
• Affordable cost of implementation

The administration plans on streamlining the existing regulations, developing new ones to protect critical infrastructure, and making cybersecurity affordable to all. 

Strategic objective 1.2: Scale public-private collaboration

Scaling public-private partnerships is imperative to bring the resilience level to its peak. The strategy of the administration is to realize a distributed, networked model by developing and strengthening collaboration between different organizations defending their systems through structured roles and responsibilities. The Strategy aims to increase connectivity and productivity through the automated exchange of data, information, and knowledge.

The Certified information systems auditor (CISA) is responsible for critical infrastructure security and resilience. CISA coordinates with Sector risk management agencies (SRMAs) to help the Federal Government to scale coordination. SRMAs are responsible for helping individual owners and operators to protect their systems. In short, the knowledge is passed on from the Federal Government to the private sector.

This strategy will allow data and information sharing in multiple directions. It will enable real-time and actionable information sharing to improve the cybersecurity posture of the public and private sectors.

Strategic objective 1.3: Integrate federal cybersecurity centers

There will be a gap in the capabilities where different Federal agencies, like homeland security, law enforcement, diplomatic, economic, and military missions, collaborate with each other to improve cybersecurity. This gap will be filled by the Federal Cybersecurity Centers. Intragovernmental collaboration is a prerequisite if the Federal Government wants to support non-Federal partners. 

Among many other efforts, the establishment of the Joint Cyber Defense Collaborative (JCDC) at CISA is one step forward in achieving the administrative goals of intragovernmental collaboration and partnerships with private and international sectors. 

Strategic objective 1.4: Update federal incident response plans and processes

When there are incidents in the private sector, the government should be able to help them navigate through the rough times. They should be aware of which government agencies to contact in case of an emergency. The Federal government should give clear instructions on how to contact the relevant agencies and which forms to fill out if there is a security incident. 

CISA, through its subordinate National Cyber Incident Response Plan (NCIRP), will lead to strengthening the processes, procedures, and systems to fully realize the “a call to one is a call to all” policy. 

Additionally, the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) is expected to raise awareness and the ability to respond effectively. The Cyber Safety Review Board (CSRB), via its cybersecurity leaders, will review big incidents and learn from mistakes made. 

Strategic objective 1.5: Modernize federal defenses

The administration will carry out long-term efforts to defend and modernize the Federal systems by implementing the zero-trust principle. In time, the Federal Government will become a model to the private sector by following the policies and procedures to make the systems more resilient to cyber-attacks.

Moreover, the National Security Systems (NSS) store and process the most sensitive information of the Federal Government and is continually fighting against imminent cyber threats. Plans will be developed to enhance the cybersecurity posture of NSS.

Pillar two: Disrupt and dismantle threat actors

In addition to raising our defenses, it is also important to disrupt and dismantle threat actors. The efforts to enhance national security and public safety in the US will collaborate the capabilities of diplomatic, information, military (physical and cyber), intelligence, law enforcement, and financial.

The Federal Government has taken stern actions, including arresting and prosecuting them, putting bans on their activities, disbarring them from accessing digital infrastructure and victim networks, on the cyber attackers to hold them accountable and recover ill-gotten gains.

In the future, the Federal Government plans to collaborate with the private sector to improve intelligence sharing, execute disruption campaigns at scale, deny adversaries’ use of US-based infrastructure, and thwart global ransomware campaigns.

Strategic objective 2.1: Integrate federal disruption activities

The goal of the Federal Government is to make cyber criminal activities unprofitable and ineffective for individual criminals as well as nation-states. They have integrated the efforts of various agencies, including the Department of Justice( DOJ) and other Federal law enforcement agencies, with their private counterparts to take down the criminal infrastructure and resources. Information gathered from incidents can help thwart other threats.

The Federal Government will now focus on the development of technological and organizational platforms that enable continuous, coordinated operations. The National Cyber Investigative Joint Task Force (NCIJTF) is a multi-agency focal point coordinating the efforts of all government agencies. The NCIJTF will increase its capacity to dismantle and disrupt cyber criminals with higher speed, frequency, and scale.

Strategic objective 2.2: Enhance public-private operational collaboration to disrupt adversaries

Quite often, the visibility into the adversary activities is higher in the private sector than in the Federal Government due to a rapid pace of technological innovations. On the other hand, the Federal Government has more resources at its disposal and the required authority to deal with adversaries than the private sector. A collaboration between the two can lead to miraculous results in the fight against cyber criminals.

Strategic objective 2.3: Increase the speed and scale of intelligence sharing and victim notification

After the collaboration with the private sector, the speed and efficiency of threat detection will increase drastically. The Federal Government can then pace up and scale the cyber threat intelligence to proactively warn the victims and alert the cyber defenders when it receives the information of a security compromise of a victim’s systems or the fact that it is being actively targeted.

The Federal Government will also review declassification policies and processes to determine the conditions under which additional precautions are necessary to access actionable information to owners and operators of critical infrastructure.

Strategic objective 2.4: Prevent abuse of US-based infrastructure

Malicious actors use US-based assets, including cloud infrastructure, domain registrars, and email providers, to launch cyber attacks against people living within and outside the US. Often, the US government is also a target for these malicious activities. The higher degree of separation of foreign resellers and US providers prevents the US authorities from taking action. 

Biden’s National Cybersecurity Strategy will encourage the Federal government to communicate effectively with the cloud providers and other US-based providers to identify the use of US infrastructure. It will smoothen the path for the victims to report the abuse of the system. It will also make it more difficult for criminals to use the US infrastructure for malicious purposes.

Strategic objective 2.5: Counter cybercrime, defeat ransomware

Ransomware is on the rise in every corner of the world due to the high returns to criminals. It is a threat to national security, public safety, and economic prosperity. The disruption caused by ransomware in essential services, like hospitals, banks, and fuel pipelines, has shown dire results. 

The US government will direct its efforts in curbing ransomware by putting in the following efforts to:

• Leverage international cooperation to disrupt ransomware and isolate countries that provide safe haven to criminals
• Investigate ransomware crimes and use authority to disrupt ransomware infrastructure and actors
• Boost critical infrastructure resilience to withstand ransomware attacks
• Address the use of virtual currency to launder ransomware payments

Pillar three: Shape market forces to drive security and resilience

The third way in which the US government plans to secure cyberspace is by shaping the market forces to drive security and resilience. The Federal Government aims to promote practices that improve the security and resilience of digital systems while preserving innovation and competition.

The organizations that don’t spend enough resources on cybersecurity bring down the effectiveness of those that do, as they are all connected through the market. Therefore, it is imperative to consider the market force in overcoming cyber threats for the nation. The Federal government will hold the steward of the data accountable for its protection. It will promote the development of more secure connected devices and reshape the data security laws.

Strategic objective 3.1: Hold the stewards of our data accountable

A data breach can prove pricey not only to the public but also to the government. If an organization is not spending on data protection, it is effectively transferring the cost to the American people. 

The Biden administration supports legislative efforts to introduce clear limits on collecting, using, transferring, and maintaining personal data and provide strong protection for sensitive data like health information and geolocation.

Strategic objective 3.2: Drive the development of secure IoT devices

Internet of Things (IoT) devices are devices that can be connected to the Internet. Both consumer goods, like baby monitors and fitness trackers, and industrial goods, like thermometers and sensors, are IoT devices. However, more often the security of IoT devices is not as robust as other devices, thereby making them vulnerable to cyber-attacks. The initial vectors of many big cyber attacks are these IoT devices.

The Biden administration recognizes this predicament and is willing to improve the security of IoT devices through research and development, procurement, and risk management efforts. To promote the same from the private sector, the government will continue to advance the deployment of IoT security labeling programs. Consumers will choose secure devices when comparing secure and unsecured IoT devices. In the long run, it will push organizations to produce secured devices. 

Strategic objective 3.3: Shift liability for insecure software products and services

To save cost and time, software developers often sell software with vulnerabilities. The product is harmful to the whole market in the long run. The administration will work with Congress and the private sector to develop legislation establishing software product and service liability. This legislation will promote higher security standards among software vendors.

The administration will drive the development of a safe harbor framework that will draw from current best practices for secure software development, like the NIST Secure Software Development Framework, to shield from liability those companies that maintain security in their software products. Additionally, the Biden Administration will encourage coordinated vulnerability disclosure across all technology types and sectors. 

Strategic objective 3.4: Use federal grants and other incentives to build security

To invest in cybersecurity and resilience, the Federal Government will offer grants to critical infrastructure that are designed, developed, fielded, and maintained with cybersecurity in mind. It will also prioritize funding for cybersecurity research, development, and demonstration (RD&D) programs to strengthen critical infrastructure cybersecurity and resilience. 

Strategic objective 3.5: Leverage federal procurement to improve accountability

The Federal Government plans to strengthen and standardize the contract requirements for cybersecurity across Federal agencies. If the contractual obligations are not followed the Civil Cyber-Fraus Initiative (CCFI) uses DOJ authorities under the False Claim Act to pursue civil actions against government grantees and contractors. 

Strategic objective 3.6: Explore a federal cyber insurance backstop

In case of a catastrophic incident, the Federal Government can be called upon to stabilize the economy and aid recovery. The administration assesses the need for and establishes possible structures of a Federal insurance response to catastrophic cyber events. Congress, state regulators, and industry stakeholders will come together to work on such a standard response.

Pillar four: Invest in a resilient future

Long-term investments in the secure, resilient, privacy-preserving, and equitable digital ecosystem can bring a resilient and flourishing digital future. The United States will be a world leader in secure and resilient next-generation technologies and infrastructure.

The Federal Government is planning on leveraging National Science Foundation’s (NSF’s) Regional Innovation Engines Program, Secure and Trustworthy Cyberspace program, and more to drive innovations and sustainability in cybersecurity. The administration plans on making resilience a commercially viable element of innovation and deployment processes.

Strategic objective 4.1: Secure the technical foundation of the internet

Every new thing built and connected to the Internet just adds to the vulnerabilities. Some of the existing concerns include Border Gateway Protocol vulnerabilities, unencrypted Domain Name System requests, and slow adoption of IPv6. Identifying the most pressing security challenges and developing effective security measures needs private and public sector collaboration. 

Standards are one way to bring on cyber resilience. The United States government will support non-governmental Standards Development Organizations (SDO) and partner with international allies, industry leaders, academic institutions, and more to promote security, resilience, and economic advancement.

Strategic objective 4.2: Reinvigorate federal research and development for cybersecurity

The Federal Government will update the Federal Cybersecurity Research and Development Cybersecurity Plan to identify, prioritize, and catalyze the RD&D community to prevent cyber security risk in current and future technologies. The Federal Government will collaborate with the efforts of all the sectors, including academia, manufacturing, and technology companies, to achieve its targets. The research will identify and mitigate the potential vulnerabilities. 

The RD&D investment will focus on

• Computer-related technologies – microelectronics, quantum information systems, and artificial intelligence
• Biotechnologies and biomanufacturing
• Clean energy technologies

Strategic objective 4.3: Prepare for our post-quantum future

If we want to develop global commerce, strong encryption is of paramount importance. The integrity and security of the data are at risk with quantum computing in play. Quantum computing can break into some of the most secure hardware, software, and firmware. 

To future-proof the systems, the Federal Government will prioritize the transition of vulnerable Federal systems to quantum-resistant cryptography-based environments. The private sector is expected to follow the path set up by the government. 

Strategic objective 4.4: Secure our clean energy future

The world is becoming more and more cautious about its carbon footprint and so is the United States Government. The US government plans to invest in new energy infrastructure. It will proactively implement the Congressionally-directed National Cyber-Informed Engineering Strategy rather than adding it as an afterthought.

The Federal Government will partner with industries, State, local, tribal, and territorial (SLTT) to deploy a secure, interoperable network of electric vehicles (EV) chargers, zero-emission fueling infrastructure, and zero-emission buses. The government is planning for generations, transportation, and storage of green energy which will require a robust cybersecurity resilience effort.

Strategic objective 4.5: Support the development of a digital identity ecosystem

There are considerable losses due to digital identity thefts and data breaches. The cost of these losses is ultimately on the shoulders of the general public. The private and public sectors must work hand-in-hand to solve the problem of digital data security.

The Federal Government will enable and encourage investment in strong, verifiable digital identity solutions. The efforts to strengthen the security of digital credentials, provide attributes and credential validation services, and update the standard guidelines will be led by the NIST-led digital identity research program authorized in the creating of helpful incentives to produce semiconductors (CHIPS) and Science Act. 

Protection of the digital identity will 

• Protect and enhance individual privacy, civil rights, and civil liberties; 
• Guard against unintended consequences, bias, and potential abuse;
• Enable vendor choice and voluntary use by individuals;
• Increase security and interoperability;
• Promote inclusivity and accessibility;
• Improve transparency and accountability in using technology and individual’s data

Strategic objective 4.6: Develop a national strategy to strengthen our cyber workforce

Due to a huge knowledge gap, both private and public sector organizations face challenges in hiring professionals. United States will lead the development and implementation of a National Cyber Workforce and Education Strategy led by the Office of the National Cyber Direction (ONCD). By increasing cyber education and training pathways, the strategy will strengthen and diversify the cyber workspace.

Pillar five: Forge international partnerships to pursue shared goals

The US promotes the expectation and rewarding of responsible state behavior and isolating and taxing irresponsible behavior. The US will collaborate with the international community to counter common threats, protect against transnational digital repression, preserve and reinforce global Internet freedom, and build toward a shared digital ecosystem.

Strategic objective 5.1: Build coalitions to counter threats to our digital ecosystem

In April 2022, the United States, along with 60 other countries, built Declaration for the Future of the Internet (DFI). This coalition is the largest of its kind in the world and supports the vision for an open, free, global, interoperable, reliable, and secure digital future. DFI, in addition to other coalitions such as the Quadrilateral Security Dialog (Quad), the Indo-Pacific Economic Framework for Prosperity (IPEF), and Americas Partnership for Economic Prosperity (APEP), shall work towards similar goals.

Strategic objective 5.2: Strengthen international partner capacity

International laws and norms for responsible state behavior are critical to implementing policies across the globe. To achieve this objective, the US will lead expertise across agencies, public and private sectors, and among advanced regional partners to pursue coordinated and effective international cyber capacity-building and operational collaboration efforts. The DoJ, the Department of State, and the Department of Defence (DoD) will align their goals with cybersecurity goals.

Strategic objective 5.3: Expand the US’s ability to assist allies and partners

Many countries, including Cost Rica, Albania, and Montenegro, have asked for US’s support to investigate, respond, and recover from significant cyberattacks. Supporting its allies will help the US in international relations and achieve cybersecurity goals. 

The Biden Administration will devise policies to determine when it is in the national interest to provide support, develop mechanisms for identifying and deploying agency resources, and, if needed, remove any such financial and procedural barriers to provide operational support.

Strategic objective 5.4: Build coalitions to reinforce global norms of responsible state behavior

Every member of the United Nations (UN) must adhere to its political commitment to endorse peacetime norms of responsible state behavior in cyberspace. The commitments are not self-enforcing, and the US plans to hold irresponsible states accountable if they fail to uphold their commitments. To quash the adversaries without armed conflict, the US will work with its allies and partners to impose meaningful consequences.

Strategic objective 5.5: Secure global supply chains for information, communications, and operational technology products and services

Supply chains are getting larger and more complicated. It is not uncommon for a business to order raw materials from and sell finished products to foreign nations. With increasing supply chain complexity, the risk of cyber threats also increases. Protecting the supply chains from cyber attacks will require a long-term partnership between the public and private sectors, both within and outside the US.

Critical inputs must be developed in the US or in close cooperation with the allies. The effectiveness of the supply chains is relational to the effectiveness of the cybersecurity efforts put in. Therefore, the Strategy focuses on building a transparent, efficient, resilient, and trustworthy supply chain.

Winding up

We saw Biden’s National Cybersecurity Strategy briefly in this article. This Strategy clearly defines the US government’s plans to build a more secure and resilient future. It highlights the steps to be taken by the US government indigenously and in collaboration with international agencies to secure each and every aspect of cyberspace. It also accentuates the need for education and training in the cybersecurity field to boost the supply of personnel.