On March 2, 2023, the Biden-Harris Administration released its new National Cybersecurity Strategy – the first new plan in five years. The goal is to establish a safe digital environment in the US and position the internet as a shield to protect and secure the nation’s people, their freedoms, information, and the economy.
The biggest shift we see with the new initiative as opposed to previous cyber strategies is the movement toward attack prevention. The administration will make vendors more accountable for vulnerabilities and incentivize them to adopt secure developmental policies.
Previously, strategies have emphasized compliance and controls for businesses or offensive strategies against nation-state actors, so this is indeed a new direction.
A new strategy for cyber defense
As the digital environment faces new threats, more complex and dangerous than we’ve known thus far, our efforts require better coordination among innovators, more reliable resources (in some cases provided by the government), and a commitment to making cyber defense priority number one.
The plan, crafted by the White House alongside experts across several industries, promises more targeted regulation to secure higher-risk institutions such as banks, hospitals, schools, and utilities.
To do this, the administration set the following goals to align cyber defense strategies. The intention is to make our cyber ecosystem:
Defensible, where cyber defense is overwhelmingly easier, cheaper, and more effective;
Resilient, where cyber incidents and errors have little widespread or lasting impact; and,
Values-aligned, where our most cherished values shape—and are in turn reinforced by— our digital world.
According to Politico, the plan “makes clear that the U.S. plans to be aggressive against foreign adversaries who try to hack into American networks.” The strategy also outlines strengthened systemization among the federal government so agencies can respond more quickly to cyber threats.
In addition to how the government will beef up its security efforts, regulations within the plan seek to make certain products and platforms are built with protective features from their conception, partially shifting the responsibility for good cyber hygiene practices from buyers to vendors.
The 5 pillars of Biden’s new cyber defense strategy aim to:
Defend critical infrastructure
Disrupt and dismantle threat actors
Shape market forces to drive security and resilience
Invest in a resilient future
Forge international partnerships to pursue shared goals
What does this mean for IT and security practitioners today?
Today’s announcement of the National Cybersecurity Strategy lays out a high-level plan for how the government plans to strengthen and maintain “an open, free, global, interoperable, reliable, and secure Internet and building a more defensible and resilient digital ecosystem” while also hinting at “generational investments” by the Federal Government and private sector. You’re unlikely to see effects today, but in the coming months and years, we’ll observe the implementation of the strategy start to be acted upon.
The strategy is intended to increase private sector investment in security, collaboration, resilience, and research and development. The Office of the National Cyber Director (ONCD) and the Office of Management and Budget (OMB) will issue annual guidance on cybersecurity budget priorities to guide this investment.
Most significantly, the strategy lays out two fundamental shifts in how the US will approach cybersecurity.
Rebalance responsibility to defend cyberspace: Shift the burden of responsibility away from individuals, small businesses, state and local governments, and infrastructure operators, and onto the owners and operators of the systems that hold data and help society function.
Realign incentives to favor long-term investments: Defend existing systems while investing in future systems that are inherently defensible and resilient.
In the vein of realigning incentives, the plan promises new and updated cybersecurity regulation in key areas like critical infrastructure while simultaneously ensuring those entities can afford and implement the tools needed to meet requirements.
Modernization to strengthen security
In the press conference supporting today’s cyber strategy plan, Deputy Assistant to the President and Deputy National Security Advisor for Cyber and Emerging Technology Anne Neuberger mentioned the adoption of the cloud and cloud security products as a lever to help modernize technology by eliminating legacy systems that difficult to inventory and patch quickly in the event of a vulnerability.
Businesses are likely ahead of the curve compared to the federal government in modernizing infrastructure, but this is another call to modernize where possible and maintain accurate, comprehensive inventory and proactive aggressive patching programs to strengthen your overall security posture.
Increased accountability for insecure software and hardware products?
IT and security teams are likely to be interested in Strategic Objective 3.3: Shift Liability for Insecure Software Products and Services. The strategy asserts that markets pose inadequate costs to entities that introduce vulnerable products, and we agree. Too often products and their hardware and software are released without adhering to security best practices which result in increased stress on organizations and their IT and security teams to pick up the pieces.
The strategy plans to engage congress and the private sector to incentivize adherence to secure software development practices, notably mentioning "companies that make software must have the freedom to innovate, but must also be held liable when they fail to live up to the duty of care they owe customers, businesses, or critical infrastructure providers.”
Undoubtedly this would decrease the burden on most IT and security teams, though any monumental shifts in liability may require legislation. For now, patching as quickly as possible for the mountain of vulnerabilities remains critical, and remediating critical vulnerabilities takes too long, 60 days on average. Cross-platform and third-party coverage are critical and thoughtful, simple automation can reduce the burden on teams while reducing the mean time to remediate (MTTR) critical vulnerabilities.
Automox customers fix critical vulnerabilities in less than half the time compared to the industry by adopting these best practices.
Start your free trial now.
Get started with Automox in no time.
