The IT Nerd

The Biden Administration has released the National Cybersecurity Strategy is out. And it has some interesting details:

The strategy – shaped by major hacking incidents that threatened key public services in the first year of the Biden administration – embraces the US government’s regulatory and purchasing power to force companies that are critical to economic and national security to raise their cyber defenses.

It reflects a widely held belief in the US government that market forces have failed to keep the nation safe from cybercriminals and an array of foreign governments such as Russia and China. 

“We ask individuals, small businesses and local government to shoulder a significant burden for defending us all. This isn’t just unfair, it’s ineffective,” Acting National Cyber Director Kemba Walden told reporters Wednesday. “This strategy asks more of industry, but also commits more from the government.”

The strategy is a policy document and not law, but it could shape corporate behavior for years to come as firms compete for billions of dollars in federal contracts that increasingly require a minimum set of cybersecurity defenses. And the White House says it wants to work with Congress to develop legislation that holds software makers liable when their products and services don’t provide adequate protections from sabotage.

Edgard Capdevielle, CEO of ICS/OT Cybersecurity Vendor of Nozomi Networks had this to say: 

“The National Cyber Strategy’s non-voluntary requirements for critical infrastructure to increase cybersecurity posture will be met with varying responses from CEOs and Boards alike. While the impetus for a better cyber posture to defend against potential nation-state adversaries is wise and necessary, the ability for these entities to identify the budget and personnel to manage these pieces is going to be difficult. As it is for most companies in this macroeconomic climate. We look forward to working with our U.S. critical infrastructure partners, just as we have with their international counterparts, to meet changing regulatory guidelines with the best defenses and visibility possible.” 

The nearly 40-page document provides a roadmap for new laws and regulations over the next few years aimed at helping the United States prepare for and fight emerging cyber threats. Hopefully this is effective at stopping the sort of large scale attacks that we’ve seen over the last few years.

UPDATE: Craig Burland, CISO of Inversion6 had this to say:

This strategy continues a trend of a more activist federal government pushing cybersecurity forward. Within the last 12 months or so, you can see increased announcements and initiatives from CISA, as an example, that foreshadowed something broader. The pillars build on existing ideas and cyber principles – defend critical infrastructure, support the nation’s collective defense, and embrace secure by design. That last item has been discussed in solution development forums for years, but hasn’t become a norm for producers. 

The real test will come in the pronouncements that follow.  A strategy by itself won’t compel companies to change how they invest. This strategy is a shot across the bow that signals tougher standards are coming.  How those manifest themselves will be fascinating to watch. Will the administration try to enact laws with associated fines? Will they pressure industry groups to do self-improvement? Can they become a catalyst for real change and help get cybersecurity past the tipping point where best practices are the only accepted practices? Hopefully, one way or another, they can spur real change and make all of our lives safer.

This entry was posted on March 2, 2023 at 9:13 am and is filed under Commentary with tags Security. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.