The new National Cybersecurity Strategy shows the comprehensive approach taken by the Biden administration to secure cyberspace and ensure the US is in the strongest possible position to realize all the benefits and potential of the digital future.
Moreover, one critical aspect of the Strategy is its shifting focus of cybersecurity responsibilities from the shoulders of the general public to the public sector and the affluent private sector. This means private sector organizations will need to sharpen their knowledge and align with the expectations of the new Strategy – especially if they want to be a part of the economic reforms.
And we’re here to help you understand exactly how to do that.
Let’s do a quick recap of the US National Cybersecurity Strategy.
We discussed the National Cybersecurity Strategy of 2023 (also referred to as ‘the Strategy’) in our previous article, “Biden’s National Cybersecurity Strategy – a roadmap to prosperity through secure cyberspace”.
It is based on five fundamental principles or pillars, which aim to direct two fundamental changes, which include rebalancing the responsibility to defend cyberspace and realigning incentives to favor long-term investments. These pillars are as follows;
The expectations of Biden’s National Cybersecurity Strategy from the private sector
The role of the private sector, especially those holding resources, in security is increasing. Why? Because the government plans to invest in data protection through public organizations and will encourage the private sector to join hands, as well.
The Strategy plays a critical role in this as it divides the responsibility of cybersecurity between public and private agencies. Some of the actions that the Strategy will expect from the private sector industry are as follows.
1. Implement zero-trust architecture
Zero-trust architecture is a strategy implemented by an organization that negates implicit trust and applies continuous validation of each stage of digital interaction. It is based on the principle of “never trust, always validate” when it comes to sharing information. A zero-trust model verifies the user’s identity, device, location, and role before sharing requested data.
As the Biden administration shifts to tighter defenses, it plans to adopt zero-trust in public sectors. Since it offers a fair amount of benefits, the private sector is also encouraged to follow in the footsteps of the public sector units.
Benefits of implementing a zero-trust architecture
2. Modernize IT, and OT structure
Information technology (IT) and operation technology (OT) were historically disconnected. However, in recent years one can see the convergence of IT and OT on every scale. The IT system is used for data-centric activities, while the OT systems are used to monitor physical assets, like computing devices, events, and processes, to make enterprise and industrial operations more efficient.
The US administration focuses on modernizing every organization’s IT and OT structures to make them more cyber-resilient. By strengthening the organization’s defenses, one can reduce the chances of cyber attacks.
Some of the benefits of IT/OT convergence in a modern enterprise are as follows:
3. Follow sector-appropriate cybersecurity frameworks
The Federal government intends to shift the industry frameworks from optional to mandatory and introduce new frameworks for cybersecurity. These frameworks will be tailored to meet the cybersecurity needs of specific sectors and industries, keeping in mind the sector’s risk profile, harmonized to reduce duplication, complementary to public-private partnerships, and cognizant of the cost of implementation.
The private sector must follow the frameworks and compliance standards recommended by the government to contribute to the American dream of a cyber-resilient economy. In the long run, these frameworks can focus on achieving security outcomes and enabling the continuity of operations and functions while promoting collaboration and innovation.
The regulatory frameworks would be performance-based, leveraging the existing cybersecurity frameworks, voluntary consensus standards, and guidance, and flexible enough to adapt to any changes in technologies and tactics made by the threat actors. The frameworks and standards include the Cybersecurity and Infrastructure Security Agency (CISA)’s Cybersecurity Performance Goals and the National Institute of Standards and Technology (NIST) framework for Improving Critical Infrastructure Cybersecurity.
4. Develop cyber resilience in cloud computing
Cloud computing is the widely accepted method in the world right now and seems to be growing by leaps and bounds. Gartner forecasts public cloud end-user spending to reach $600 billion in 2023 vis-a-vis $500 billion in 2022.
Cyber resilience is the ability to foresee, resist, recover from, and respond to adverse conditions, including cyber attacks, data breaches, or any other cyber incident. Cyber resilience in cloud infrastructure is difficult to achieve as the data is stored with third parties. The importance of cloud security cannot be underestimated in these modern times.
Fortifying the cloud-based structure with more secure technology can improve the cybersecurity structure of the entire organization. Especially if you are working as a service provider to the government, your security posture should be top-notch.
5. Partner with other defenders
The strategy not only expects but promotes that the government/public institutions collaborate with private organizations to defend the country’s economy.
While it may seem like an unnecessary ask at first, both sectors can come together to play a significant role in this partnership. The private sector has the more technical knowledge to understand the techniques used by cybercriminals, while the government has more resources to follow through with the criminals.
Moreover, the Strategy recommends that the information be shared among all the defenders to present a united front to the cyber criminals. An open database might be helpful to all the parties involved in defending against cybercrime. It encourages all the defenders must openly share their learnings to help others from falling victim to similar attacks after every incident.
On their part, the government will also share relevant information directly with their private sector partners, i.e., you.
The following government bodies will provide opportunities to enable timely, actionable, and relevant information with their private partners:
- The Department of Energy (DOE)’s Energy Threat Analysis Center (ETAC) pilot,
- the Department of Defence (DoD)’s defense Industrial Base Collaborative Information Sharing Environment (DCISE), and
- the National Security Agency (NSA)’s Cybersecurity Collaboration Center.
6. Review major cyber incidents
The government is relying on the private sector cybersecurity leaders to partner with their government counterparts to review any major incidents, conduct authoritative fact-finding, generate informative insights, guide industry remediations, and provide recommendations for improving the nation’s cybersecurity posture going forward.
7. Use and develop software with cyber protection
The administration realizes that the burden of cybercrime is falling on the shoulders of smaller players and customers in the market. To minimize this burden, the federal government plans to rate the cybersecurity features of the software and display them.
Today, only some software developers are taking precautions to make their products secure from cybercriminals. This policy is saving the cost for the developers who forego cybersecurity settings in their products, thereby making their products more affordable to consumers. Inadvertently, the market is supporting and promoting insecure software.
Software supply chain security is one of the topmost areas the Strategy focuses on. It recommends that software developers have their products rated by a third party to measure their security. When the cybersecurity ratings are displayed on the products, consumers will gravitate toward the secure software. Slowly, insecure products will disappear from the market. All software products will include cybersecurity in their development cycle.
If you are buying software for your organization, you must choose software that includes cybersecurity. On the other hand, if you are a software developer, start developing software that supports a robust cybersecurity posture. In time, this will increase your market share.
8. Protect critical infrastructure
COVID-19 showed how critical infrastructure is important for the country. The Ukraine-Russia war has also accentuated the need for a functioning critical infrastructure. The private sector should keep in mind that the US government is planning to be independent in the production of essential goods to reduce disruption in critical times.
The cybersecurity of critical infrastructure is paramount, and if you are connected to providing this critical infrastructure, you must follow robust cybersecurity policies.
9. Educate your employees
The federal government acknowledges that there is an acute shortage of cybersecurity professionals in the market. This is also why it encourages education and training on the subject.
The government is planning on strategic investment in innovation, R&D, and education. As a private sector owner, if you educate your employees about cybersecurity, it will make your organization much more resilient. A small mistake made by an employee can lead to a full-blown cyber attack on the organization. Therefore, the employees must be taught to use cybersecurity practices as a part of their duties rather than as an additional chore.
Tests and quizzes should follow the training to verify the knowledge of employees. If you find the results unsatisfactory, you must retrain the employees and check where the gap lies.
The new National Cybersecurity Strategy has defined all the specific areas in which it wants private sector contribution. We have shown you where the government would require your input and how.
Apart from this, the US government plans to lay down different cybersecurity frameworks for the private sector. The Strategy focuses on collaboration and information sharing with the private sector. It also promises simplified and stronger versions of security-related regulations.
If you are from the private sector and wish to know more about the current industry frameworks and how complying with them will take you a step closer to alignment with the Strategy, reach out to us by clicking here.