New US National Cyber Security Strategy

Uploaded on 2023-03-06 in INTELLIGENCE--USA, GOVERNMENT-National, FREE TO VIEW

The White House has published a National Cybersecurity Strategy calling for comprehensive regulation of the nation's vital services. This is based on a growing recognition that the US economy can no longer rely upon voluntary cyber security measures which have failed to prevent the enormous economic losses caused by surging ransomware attacks.

The report provides a road map on how the US will defend against the rapidly growing number of online threats. 

"Cyber security is essential to the basic functioning of our economy, the operation of our critical infrastructure, the strength of our democracy and democratic institutions, the privacy of our data and communications, and our national defense," President Joe Biden writes in the introduction to the strategy. 

The 38-page document describes how the voluntary cyber security measures in place today have produced “inadequate and inconsistent outcomes” as it calls for stronger regulation to protect “critical infrastructure.” The White House also says that there have been "inadequate and inconsistent outcomes" across critical infrastructure like energy pipelines, food companies, schools and hospitals. The document comes on the heels of major cyber incidents, including a massive ransomware attack at the largest meat supplier and many more ransomware attacks.

This new strategy is led by the Office of the National Cyber Director in the White House, calls out China, Russia, Iran and North Korea for aggressive cyber tactics exhibiting "reckless disregard for the rule of law" and elevates ransomware attacks, such as the 2021 Russia-linked cyber attack on the Colonial pipeline

"For government, we have a duty to the American people to double down on tools that only government can wield, including the law enforcement and military authorities, to disrupt malicious cyber activity and pursue their perpetrators," Acting National Cyber Director Kemba Walden told reporters.

The report's authors appear to doubt that the US criminal justice system is able to deal with the challenge alone and it is likely that government will use its other powers, including sanctions, to defend against foreign cyber criminals. "We want to shrink the surface of the earth in which people can conduct malicious cyber activity with impunity, to put pressure on them and make their lives a little bit less pleasurable... if a criminal is restricted to living in Russia and can't leave the borders, then perhaps that might create a bit of a deterrent effect." a senior official has said. 

According to the White House strategy, it is China that "now presents the broadest, most active, and most persistent threat to both government and private sector networks and is the only country with both the intent to reshape the international order and, increasingly, the economic, diplomatic, military, and technological power to do so."

China's growing cyber capabilities have prompted growing concerns about attacks on US telecommunications, mass-pollution of American waterways and targeting of the US power grid.  "Attacks against our critical infrastructure in the event of a Chinese invasion of Taiwan is unfortunately not farfetched," CISA Director Jen Easterly recently said.   

The new cybersecurity roadmap is intended to shift the burden of cyber risk beyond consumers and ensure "companies are not trapped in a competition to underspend their peers on cybersecurity." The US governmnet has  already started cyber security mandates intended to protect oil and gas pipelines, and shore up rail and aviation sectors. 

Officials have previewed plans for the Environmental Protection Agency (EPA) to issue a rule for the water sector. A 2021 survey of 606 drinking and waste-water organisations by the Water Sector Coordinating Council found half spent less than 5% of their budget on IT security. "We must begin to shift liability onto those entities that fail to take reasonable precautions to secure their software while recognising that even the most advanced software security programs cannot prevent all vulnerabilities," the strategy read. 

Most recently, the US Marshals Service had a major cyber attack compromising some of its most sensitive information, including law enforcement materials, and the personal information of employees and potential investigative targets.   

The Congress has already passed laws requiring critical infrastructure owners and operators to report to the federal government within 72 hours in the event of a major cyber attack. "Where Federal departments and agencies have gaps in statutory authorities to implement minimum cyber security requirements or mitigate related market failures, the Administration will work with Congress to close them," according to the strategy. 

The New Strategy Has Five Elements  

Defend critical infrastructure:    The strategy will set minimum cybersecurity requirements for organisations across all critical infrastructure sectors, while also seeking to expand public-private collaboration and modernise federal networks.

Target and disrupt threat actors:   The administration has vowed to use "all instruments of national power" to target malicious actors, bring more private sector expertise to bear, and continue targeting ransomware "in lockstep with our international partners."  

Use market forces to improve security and resilience:    The administration wants a greater focus on "promoting privacy and the security of personal data" to drive data holders to better secure it, and it wants commercial developers and sellers of software and hardware to be liable if they fail to employ recognized security development practices.    

Invest in resilience:    The strategy highlights the need to reduce vulnerabilities in foundational technology, prioritise research and development for emerging technologies such as "post-quantum encryption, digital identity solutions and clean energy infrastructure," and expand the size of the nation's cyber workforce.

Enhance international partnerships:   Promoting "responsible state behaviour" as well as allies' own cybersecurity resilience and supply chain security remains a goal, as does attempting to impose costs on countries that engage in "irresponsible behaviour," according to the strategy.

Senior Director Cybersecurity Strategy at Menlo Security, Mark Guntrip, commented, ““There’s a lot to unpack in the Strategy, but a good place to start is building resilience in cyberspace. This is going to require organisations to lean on innovative technologies that act as alternatives to the traditional layers of security. We see that focusing on threat prevention ahead of detection and response makes good sense in order to improve overall security effectiveness. Technologies that provide isolation, deception solutions or data micro-segmentation could be starting points.”

National Cyber Director Chris Inglis stepped down from his post last month, retiring after almost two years at the helm of the agency responsible for coordinating a patchwork of agencies and offices tasked with safeguarding the nation's critical infrastructure. President Biden has yet to nominate his replacement. 

The White House:      GovInfoSecurity:     CBS:          BankInfoSecurity:     Forbes:     CNBC

You Might Also Read: 

Crackdown On Ransomware Criminals:

___________________________________________________________________________________________

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible

 

« The US Marshals Service Gets Hacked
Cyber Criminals Are Quick To Use ChatGPT  »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

AA Certification (AAC)

AA Certification (AAC)

AAC provide ISO Quality Management System certification services including ISO 27001.

PFP Cybersecurity

PFP Cybersecurity

PFP provides a SaaS solution for life-cycle protection based on our IoT security platform and power usage analytics.

CyberOwl

CyberOwl

CyberOwl builds on cutting-edge research and combines decades of experience in developing, securing and operating large distributed systems.

VU Security

VU Security

VU is a specialist in Cybersecurity software development with a focus on the prevention of fraud and identity theft.

SecuLetter

SecuLetter

SecuLetter is able to detect unknown attacks with hybrid approaches, static and dynamic analysis.

Fairfirst Insurance

Fairfirst Insurance

Fairfirst Cyber Insurance protects your business assets against the complexity of cyber threats.

Jacobs

Jacobs

Jacobs is at the forefront of the most important security issues today. We are inspired to be the best and deliver innovative, mission-focused outcomes that matter to our clients.

Nexor

Nexor

Nexor are a UK-based cyber security company with 30 years' experience in secure information exchange.

Xopero Software

Xopero Software

Xopero Software develops a comprehensive range of professional tools for protecting and restoring critical business data.

Communicate Technology

Communicate Technology

Communicate Technology are IT, telecoms and cyber-security specialists, keeping over 500 businesses and 50,000 users connected and secure across the UK.

Cyberfort Group

Cyberfort Group

Cyberfort exists to provide our clients with the peace-of-mind about the security of their data and the compliance of their business.

HiScout

HiScout

HiScout is your integrated management system for IT governance, risk & compliance.

NormCyber

NormCyber

NormCyber provide award-winning cyber security and data protection as a service for midsize organisations.

Conceal

Conceal

Conceal’s mission is to stop ransomware and credential theft for companies of all sizes by developing innovative solutions that provide social engineering protection in any browser.

Cytex

Cytex

Cytex is the All-in-One solution for SMB data protection & compliance needs.

CyberKinetics

CyberKinetics

CyberKinetics specializes in cloud-based services and solutions for federal agencies and commercial clients with compliance mandates.