The White House has released its National Cybersecurity Strategy, which envisions a greater role for US software vendors and tech providers in the fight against increasing cyber threats.
Published on March 3, 2023, the strategy outlines the Biden administration’s plan to make two fundamental changes to how the US approaches cyber security.
The first shift requires closer collaboration between government and industry, with the strategy announcing that organizations with the necessary skills and resources should be the ones to bear the burden of dealing with threats. in cyber.
“Our collective cyber resilience cannot rely on the constant vigilance of our smallest organizations and individual citizens,” it said. “Instead, across the public and private sectors, we need to ask more of the most competent and best-positioned actors to make our digital ecosystem safe and stable.”
It added that this would include various national and federal cyber security bodies or initiatives, as well as a wide range of private actors: “The federal government [will] operational and strategic collaboration is also deepened with software, hardware and managed service providers capable of changing the cyber landscape in favor of greater security and stability.
Biden previously signed an Executive Order in May 2021 to strengthen America’s cyber defenses, with a heavy emphasis on public-private partnerships and information sharing, which the administration described as “the first of several ambitious steps” to modernize the US’ cyber defense.
He later signed a new cyber security incident reporting order that will go into law in March 2022, making it a legal requirement for operators of critical national infrastructure to disclose breaches. cyber attack on the US government.
In addition to balancing responsibility for defending cyber space, the strategy also aims to realign incentives to favor long-term investment, so that the US can make its cyber space “more inherently defensible and resilient” in the future.
“We must ensure that market forces and public programs equally reward security and resilience, build a strong and diverse cyber workforce, embrace security and resilience through design, strategic planning -coordinate research and development investments in cyber security, and promote collaborative management of our digital ecosystem,” it said.
To achieve these two “fundamental changes” in the US cyber security approach, the strategy outlines five pillars: protecting critical infrastructure; disrupt and disrupt threat actors; shaping market forces to drive security and stability; invest in a strong future; and creating international partnerships to pursue shared goals.
In terms of the role of the private sector, the White House said in a fact sheet that these pillars will include enabling public-private collaboration to work at the necessary speed and scale; private sector involvement I threat actor disruption activities; and shifting responsibility for security failures to software companies
It added that, generally, the White House will work to expand the use of minimum cyber security requirements; modernize federal networks and incident response policies; improve the privacy and security of personal data; and strategic use of “all instruments of national power” to harass the enemies.
The strategy will be implemented by the National Security Council (NSC) in coordination with the Office of Management and Budget (OMB) and the Office of National Cyber Director (ONCD), which is tasked with making annual reports to the president and congress on the effectiveness in strategy.
Brian Fox, co-founder chief technology officer of software supply chain management company Sonatype, who contributed to the development of the strategy, praised the strategy’s move to ensure that vendors have greater accountability for cyber security risks.
“Log4shell is the impetus for calls to action for better software supply chain security in governments around the world,” he said, adding that the strategy is a “significant time for the industry” that informs to a nuanced understanding of today’s threat landscape.
“Market forces have led to a race to the bottom in some industries, while contract law allows software vendors of all kinds to shield themselves from liability… -recognize that even a perfect security process cannot guarantee perfect results.
He added that the strategy also works to keep companies that collect a lot of information, and then leave that information open to attackers with little recourse, to account.
“Without regulatory changes, the consequences of these types of violations can be huge for consumers, while the resulting lawsuits cost a round of mistakes and a cost of doing business for these companies,” he said. “Changing the dynamics of accountability is the only way to bring about the right consequences. But this is just the beginning of a larger conversation.”
Michael McPherson, senior vice-president of security operations at ReliaQuest, also welcomed the strategy, saying it “validates the whole-of-government approach of working closely with the private sector to impose maximum adversary effect”.
“Ultimately, the US government wants to bring down the enemy’s ecosystem and impose consequences for their illegal activities,” he added. “Agencies like the FBI will continue to play a key role in coordinating efforts and driving these disruption operations. While there are many challenges for partnering with the private sector, this strategy outlines the need for of national security.