The US Government has been working on the National Cybersecurity Strategy Document 2023 for some time now, and it’s finally been released. The strategy document, which replaces the last such piece of work from 2018, attempts to indicate the general direction of the US approach to cybercrime and security for the next few years.
While you don't necessarily need to take immediate action on the points raised, there's a lot of talk about liability for poor security practices for larger organisations, better ratings for IoT devices, and a greatly improved hiring strategy for unfilled security vacancies. If these are areas of concern for you, we highlight the important parts below.
As per the WSJ, the five primary areas for action are:
- Defending critical infrastructure
- Disruption and dismantling of criminal gangs
- Shape market forces
- Investing in a resilient future
- Forge international partnerships
One large part of this new strategy is that organisations potentially most well equipped to fend off attacks must step up and do more:
The most capable and best positioned actors in cyberspace must be better stewards of the digital ecosystem...we must ask more [across both the public and private sectors] of the most capable and best positioned actors to make our digital ecosystem more secure and resilient. In a free and interconnected society, protecting data and ensuring the reliability of critical systems must be the responsibility of the owners and operators of the systems that hold our data and make our society function, as well as of the technology providers that build and service these systems.
With this in mind, then, let’s highlight some of the standouts from relevant sections.
Defending critical infrastructure
Expanding the use of minimum cybersecurity requirements in critical sectors
If you work in a critical sector of industry, you can expect to see new requirements heading your way in the near future. “Existing authorities” will set new requirements for cybersecurity, and where gaps exist in statutory authorities to create minimum standards, the Administration will work with congress to close them. Regulations will be performance based and make use of existing security frameworks—no reinventing the wheel here. A focus on driving better practices in the cloud industry is also evident.
Update Federal response plans
You can expect better processes should you need to contact Federal authorities after a cyber incident, with the aim of creating a “unified, coordinated, whole of government response” with organisations able to quickly and easily find out who to contact, and when. The National Cyber Incident Response Plan (NCIRP) will be updated through this work, and the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) will require specific entities in critical infrastructure sectors to report incidents to CISA “within hours”.
Disruption of criminal gangs
Engaging the private sector in disruption activities
The Government wants to combine the “unique insights and capabilities” of the private sector with the ability to take decisive action by Federal agencies. There’s a strong desire here to have private sector partners organise through non-profit organisations serving as hubs for operational collaboration with the Federal government.
Virtual collaboration platforms will be used for these activities and information sharing processes, with the Government looking after the necessary security requirements and records management activities. In other words: if your organisation casts a wide security net, gathers data on attempted attacks, blocks and catches interesting files, wards off ransomware, and spots dubious network traffic, then there’s something approaching an Avengers initiative waiting in the wings.
Shape market forces
Promoting privacy and the security of personal data
Making large organisations accountable for failing to be responsible stewards of data is a key thread running throughout the strategy document. This is because the costs are often passed on to everyday people, with the biggest impact being felt on vulnerable populations.
Internet of Things devices can expect to fall under “IoT security labelling programs”, which will allow consumers to compare security protections offered by devices. The idea here is to create a market incentive for better security across the IoT space, but this is reliant upon people understanding that these labels exist, and what they mean in practice.
Shifting liability for software products and services to promote secure development practices
If you know someone who works for an organisation playing fast and loose with data, security practices, and compliance, they should be warned: there’s a liability storm coming. The Administration is going to be working with Congress and the private sector to develop legislation establishing liability for software products and services, along with a “safe harbour” for those securely developing and maintaining products and services.
Investing in a resilient future
Develop a national strategy to strengthen our cyber workforce
The hundreds of thousands of vacancies in cybersecurity positions nationwide are a sore point for this Administration. If you’re short on security workers yourself, then the proposed development of a National Cyber Workforce and Education Strategy may be what you’ve been looking for. Critical infrastructure is once again a key talking point, and it aims to improve hiring among underrepresented groups of candidates. This plan aims to make use of several already existing schemes, and also take inspiration from successful hiring practices in other nations.
What’s the response so far?
There is some criticism for the plans, mainly on the basis that plans come and go but rarely manage to keep pace with the actual speed of changing technological threats. As Bloomberg Law points out, the plan itself has no regulatory teeth and it’s now mainly up to various agencies to take the ball and run with it in terms of making new changes.
New strategies for tackling cybercrime and protecting critical infrastructure are always welcome, but it remains to be seen how much practical impact the Biden Administration’s 2023 National Cybersecurity Strategy will have over the next few years.
Have a burning question or want to learn more about our cyberprotection? Get a free business trial below.