New US National Cyber Security Strategy

The White House has published a National Cybersecurity Strategy calling for comprehensive regulation of the nation's vital services. This is based on a growing recognition that the US economy can no longer rely upon voluntary cyber security measures which have failed to prevent the enormous economic losses caused by surging ransomware attacks.

The report provides a road map on how the US will defend against the rapidly growing number of online threats. 

"Cyber security is essential to the basic functioning of our economy, the operation of our critical infrastructure, the strength of our democracy and democratic institutions, the privacy of our data and communications, and our national defense," President Joe Biden writes in the introduction to the strategy. 

The 38-page document describes how the voluntary cyber security measures in place today have produced “inadequate and inconsistent outcomes” as it calls for stronger regulation to protect “critical infrastructure.” The White House also says that there have been "inadequate and inconsistent outcomes" across critical infrastructure like energy pipelines, food companies, schools and hospitals. The document comes on the heels of major cyber incidents, including a massive ransomware attack at the largest meat supplier and many more ransomware attacks.

This new strategy is led by the Office of the National Cyber Director in the White House, calls out China, Russia, Iran and North Korea for aggressive cyber tactics exhibiting "reckless disregard for the rule of law" and elevates ransomware attacks, such as the 2021 Russia-linked cyber attack on the Colonial pipeline

"For government, we have a duty to the American people to double down on tools that only government can wield, including the law enforcement and military authorities, to disrupt malicious cyber activity and pursue their perpetrators," Acting National Cyber Director Kemba Walden told reporters.

The report's authors appear to doubt that the US criminal justice system is able to deal with the challenge alone and it is likely that government will use its other powers, including sanctions, to defend against foreign cyber criminals. "We want to shrink the surface of the earth in which people can conduct malicious cyber activity with impunity, to put pressure on them and make their lives a little bit less pleasurable... if a criminal is restricted to living in Russia and can't leave the borders, then perhaps that might create a bit of a deterrent effect." a senior official has said. 

According to the White House strategy, it is China that "now presents the broadest, most active, and most persistent threat to both government and private sector networks and is the only country with both the intent to reshape the international order and, increasingly, the economic, diplomatic, military, and technological power to do so."

China's growing cyber capabilities have prompted growing concerns about attacks on US telecommunications, mass-pollution of American waterways and targeting of the US power grid.  "Attacks against our critical infrastructure in the event of a Chinese invasion of Taiwan is unfortunately not farfetched," CISA Director Jen Easterly recently said.   

The new cybersecurity roadmap is intended to shift the burden of cyber risk beyond consumers and ensure "companies are not trapped in a competition to underspend their peers on cybersecurity." The US governmnet has  already started cyber security mandates intended to protect oil and gas pipelines, and shore up rail and aviation sectors. 

Officials have previewed plans for the Environmental Protection Agency (EPA) to issue a rule for the water sector. A 2021 survey of 606 drinking and waste-water organisations by the Water Sector Coordinating Council found half spent less than 5% of their budget on IT security. "We must begin to shift liability onto those entities that fail to take reasonable precautions to secure their software while recognising that even the most advanced software security programs cannot prevent all vulnerabilities," the strategy read. 

Most recently, the US Marshals Service had a major cyber attack compromising some of its most sensitive information, including law enforcement materials, and the personal information of employees and potential investigative targets.   

The Congress has already passed laws requiring critical infrastructure owners and operators to report to the federal government within 72 hours in the event of a major cyber attack. "Where Federal departments and agencies have gaps in statutory authorities to implement minimum cyber security requirements or mitigate related market failures, the Administration will work with Congress to close them," according to the strategy. 

The New Strategy Has Five Elements  

Defend critical infrastructure:    The strategy will set minimum cybersecurity requirements for organisations across all critical infrastructure sectors, while also seeking to expand public-private collaboration and modernise federal networks.

Target and disrupt threat actors:   The administration has vowed to use "all instruments of national power" to target malicious actors, bring more private sector expertise to bear, and continue targeting ransomware "in lockstep with our international partners."  

Use market forces to improve security and resilience:    The administration wants a greater focus on "promoting privacy and the security of personal data" to drive data holders to better secure it, and it wants commercial developers and sellers of software and hardware to be liable if they fail to employ recognized security development practices.    

Invest in resilience:    The strategy highlights the need to reduce vulnerabilities in foundational technology, prioritise research and development for emerging technologies such as "post-quantum encryption, digital identity solutions and clean energy infrastructure," and expand the size of the nation's cyber workforce.

Enhance international partnerships:   Promoting "responsible state behaviour" as well as allies' own cybersecurity resilience and supply chain security remains a goal, as does attempting to impose costs on countries that engage in "irresponsible behaviour," according to the strategy.

Senior Director Cybersecurity Strategy at Menlo Security, Mark Guntrip, commented, ““There’s a lot to unpack in the Strategy, but a good place to start is building resilience in cyberspace. This is going to require organisations to lean on innovative technologies that act as alternatives to the traditional layers of security. We see that focusing on threat prevention ahead of detection and response makes good sense in order to improve overall security effectiveness. Technologies that provide isolation, deception solutions or data micro-segmentation could be starting points.”

National Cyber Director Chris Inglis stepped down from his post last month, retiring after almost two years at the helm of the agency responsible for coordinating a patchwork of agencies and offices tasked with safeguarding the nation's critical infrastructure. President Biden has yet to nominate his replacement. 

The White House:      GovInfoSecurity:     CBS:          BankInfoSecurity:     Forbes:     CNBC

You Might Also Read: 

Crackdown On Ransomware Criminals:

___________________________________________________________________________________________

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible


 

« The US Marshals Service Gets Hacked
Cyber Criminals Are Quick To Use ChatGPT  »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

FT Cyber Resilience Summit: Europe

FT Cyber Resilience Summit: Europe

27 November 2024 | In-Person & Digital | 22 Bishopsgate, London. Business leaders, Innovators & Experts address evolving cybersecurity risks.

Brit

Brit

Brit PLC is a market-leading global specialty insurer and reinsurer, focused on underwriting complex risks including cyber, privacy and technology.

Data Security Inc

Data Security Inc

Data Security, Inc. is the leading American manufacturer and supplier of hard drive degaussers, magnetic tape degaussers as well as hard drive and solid state destruction devices.

Asia Center of Excellence for Smart Technologies (ACES)

Asia Center of Excellence for Smart Technologies (ACES)

ACES is a one-stop competency center and incubator for the development of Industry 4.0 and associated technologies including cybersecurity, robotics, IoT and Big Data.

BetaDen

BetaDen

BetaDen provides a revolutionary platform for businesses to develop next-generation technology, such as the internet of things and industry 4.0.

Heidrick & Struggles International

Heidrick & Struggles International

Heidrick & Struggles is a premier provider of leadership consulting and senior-level executive search services for roles including Information & Technology Officers and Cybersecurity.

Security Weaver

Security Weaver

Security Weaver is a leading provider of governance, risk and compliance management (GRCM) software.

Cytenna

Cytenna

Cytenna Signal is a suite of SaaS (Software-as-a-Service) products that use AI and machine learning to automatically aggregate the latest information about software vulnerabilities.

BugDazz

BugDazz

BugDazz pentest as a service (PTaaS) platform helps bringing in real-time results, detail coverage, & easy remediation workflows with compliance-ready reports.

Debevoise & Plimpton

Debevoise & Plimpton

Debevoise & Plimpton LLP is a premier law firm with market-leading practices in areas including Data Strategy & Security.

Execweb

Execweb

Execweb are a cybersecurity executive network, comprised of 400+ security practitioners who work at Fortune 500 and SME companies.

Banyax

Banyax

Banyax provides 24×7 real-time Cyber Defense Center Services using the latest technology tools to provide state-of-the-art defense.

Zilla Security

Zilla Security

Zilla combines identity governance with cloud security to deliver comprehensive access visibility, reviews, lifecycle management, and policy-based security remediation.

MajorKey Technologies

MajorKey Technologies

MajorKey improves security performance by reducing user friction and business risk, empowering your people, and protecting your IP.

IDVerse

IDVerse

IDVerse is focused on making user verification effortless through technology. We build intelligent tools that protect users from identity fraud while enabling a seamless user experience.

PureSoftware

PureSoftware

PureSoftware is a global software products and digital services company that is driving transformation for the world’s top organizations across various industry verticals.

CompassMSP

CompassMSP

CompassMSP deliver Managed IT and cybersecurity solutions designed to unleash your business's full potential.