New US National Cyber Security Strategy

The White House has published a National Cybersecurity Strategy calling for comprehensive regulation of the nation's vital services. This is based on a growing recognition that the US economy can no longer rely upon voluntary cyber security measures which have failed to prevent the enormous economic losses caused by surging ransomware attacks.

The report provides a road map on how the US will defend against the rapidly growing number of online threats. 

"Cyber security is essential to the basic functioning of our economy, the operation of our critical infrastructure, the strength of our democracy and democratic institutions, the privacy of our data and communications, and our national defense," President Joe Biden writes in the introduction to the strategy. 

The 38-page document describes how the voluntary cyber security measures in place today have produced “inadequate and inconsistent outcomes” as it calls for stronger regulation to protect “critical infrastructure.” The White House also says that there have been "inadequate and inconsistent outcomes" across critical infrastructure like energy pipelines, food companies, schools and hospitals. The document comes on the heels of major cyber incidents, including a massive ransomware attack at the largest meat supplier and many more ransomware attacks.

This new strategy is led by the Office of the National Cyber Director in the White House, calls out China, Russia, Iran and North Korea for aggressive cyber tactics exhibiting "reckless disregard for the rule of law" and elevates ransomware attacks, such as the 2021 Russia-linked cyber attack on the Colonial pipeline

"For government, we have a duty to the American people to double down on tools that only government can wield, including the law enforcement and military authorities, to disrupt malicious cyber activity and pursue their perpetrators," Acting National Cyber Director Kemba Walden told reporters.

The report's authors appear to doubt that the US criminal justice system is able to deal with the challenge alone and it is likely that government will use its other powers, including sanctions, to defend against foreign cyber criminals. "We want to shrink the surface of the earth in which people can conduct malicious cyber activity with impunity, to put pressure on them and make their lives a little bit less pleasurable... if a criminal is restricted to living in Russia and can't leave the borders, then perhaps that might create a bit of a deterrent effect." a senior official has said. 

According to the White House strategy, it is China that "now presents the broadest, most active, and most persistent threat to both government and private sector networks and is the only country with both the intent to reshape the international order and, increasingly, the economic, diplomatic, military, and technological power to do so."

China's growing cyber capabilities have prompted growing concerns about attacks on US telecommunications, mass-pollution of American waterways and targeting of the US power grid.  "Attacks against our critical infrastructure in the event of a Chinese invasion of Taiwan is unfortunately not farfetched," CISA Director Jen Easterly recently said.   

The new cybersecurity roadmap is intended to shift the burden of cyber risk beyond consumers and ensure "companies are not trapped in a competition to underspend their peers on cybersecurity." The US governmnet has  already started cyber security mandates intended to protect oil and gas pipelines, and shore up rail and aviation sectors. 

Officials have previewed plans for the Environmental Protection Agency (EPA) to issue a rule for the water sector. A 2021 survey of 606 drinking and waste-water organisations by the Water Sector Coordinating Council found half spent less than 5% of their budget on IT security. "We must begin to shift liability onto those entities that fail to take reasonable precautions to secure their software while recognising that even the most advanced software security programs cannot prevent all vulnerabilities," the strategy read. 

Most recently, the US Marshals Service had a major cyber attack compromising some of its most sensitive information, including law enforcement materials, and the personal information of employees and potential investigative targets.   

The Congress has already passed laws requiring critical infrastructure owners and operators to report to the federal government within 72 hours in the event of a major cyber attack. "Where Federal departments and agencies have gaps in statutory authorities to implement minimum cyber security requirements or mitigate related market failures, the Administration will work with Congress to close them," according to the strategy. 

The New Strategy Has Five Elements  

Defend critical infrastructure:    The strategy will set minimum cybersecurity requirements for organisations across all critical infrastructure sectors, while also seeking to expand public-private collaboration and modernise federal networks.

Target and disrupt threat actors:   The administration has vowed to use "all instruments of national power" to target malicious actors, bring more private sector expertise to bear, and continue targeting ransomware "in lockstep with our international partners."  

Use market forces to improve security and resilience:    The administration wants a greater focus on "promoting privacy and the security of personal data" to drive data holders to better secure it, and it wants commercial developers and sellers of software and hardware to be liable if they fail to employ recognized security development practices.    

Invest in resilience:    The strategy highlights the need to reduce vulnerabilities in foundational technology, prioritise research and development for emerging technologies such as "post-quantum encryption, digital identity solutions and clean energy infrastructure," and expand the size of the nation's cyber workforce.

Enhance international partnerships:   Promoting "responsible state behaviour" as well as allies' own cybersecurity resilience and supply chain security remains a goal, as does attempting to impose costs on countries that engage in "irresponsible behaviour," according to the strategy.

Senior Director Cybersecurity Strategy at Menlo Security, Mark Guntrip, commented, ““There’s a lot to unpack in the Strategy, but a good place to start is building resilience in cyberspace. This is going to require organisations to lean on innovative technologies that act as alternatives to the traditional layers of security. We see that focusing on threat prevention ahead of detection and response makes good sense in order to improve overall security effectiveness. Technologies that provide isolation, deception solutions or data micro-segmentation could be starting points.”

National Cyber Director Chris Inglis stepped down from his post last month, retiring after almost two years at the helm of the agency responsible for coordinating a patchwork of agencies and offices tasked with safeguarding the nation's critical infrastructure. President Biden has yet to nominate his replacement. 

The White House:      GovInfoSecurity:     CBS:          BankInfoSecurity:     Forbes:     CNBC

You Might Also Read: 

Crackdown On Ransomware Criminals:

___________________________________________________________________________________________

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible


 

« The US Marshals Service Gets Hacked
Cyber Criminals Are Quick To Use ChatGPT  »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

Directory of Cyber Security Suppliers

Directory of Cyber Security Suppliers

Our Supplier Directory lists 7,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

ZenGRC

ZenGRC

ZenGRC (formerly Reciprocity) is a leader in the GRC SaaS landscape, offering robust and intuitive products designed to make compliance straightforward and efficient.

OCERT

OCERT

OCERT is the National Computer Emergency Response Team of Oman.

Tinfoil Security

Tinfoil Security

Tinfoil is a simple, developer friendly service that lets you scan your website for vulnerabilities and fix them quickly and easily.

RiskSense

RiskSense

RiskSense empowers enterprises and governments to reveal cyber risk, quickly orchestrate remediation, and monitor the results.

Applied Security (APSEC)

Applied Security (APSEC)

APSEC provides products and services in the areas of encryption, digital signature, authentication and data loss prevention.

Quadron  Cybersecurity Services

Quadron Cybersecurity Services

Quadron Cybersecurity Services is a specialist in digital security, data and system protection.

International Accreditation Forum (IAF)

International Accreditation Forum (IAF)

The IAF is the world association of Conformity Assessment Accreditation Bodies. Its primary function is to develop a single worldwide programme of conformity assessment.

Stone Forest IT (SFIT)

Stone Forest IT (SFIT)

Stone Forest IT specialises in providing advisory, implementation and managed services for IT infrastructure, IT security solutions, business applications (ERP and CRM) and business analytical tools.

US Marine Corps Forces Cyberspace Command (MARFORCYBER)

US Marine Corps Forces Cyberspace Command (MARFORCYBER)

US Marine Corps Forces Cyberspace Command (MARFORCYBER) conducts full spectrum military cyberspace operations in order to enable freedom of action in cyberspace and deny the same to the adversary.

ReasonLabs

ReasonLabs

ReasonLabs have created a next-generation anti-virus that is enterprise grade, yet accessible to any personal device around the world.

Endure Secure

Endure Secure

Endure Secure is a managed cyber security & information security consultancy. Our passion for IS and our understanding of the threat landscape is reflected in the services that we provide.

DC Two

DC Two

DC Two are a locally operated and supported Australian data centre, offering a suite of vertically integrated services covering every part of the data centre and cloud technology stack.

Radius Technologies

Radius Technologies

Radius Technologies is trusted by progressive SMEs to deliver world-class cloud, IT solutions, IT and data security, and telecoms systems.

Omantel Innovation Labs

Omantel Innovation Labs

The Omantel Innovation Labs is a platform to enable startups and innovators to develop and commercialize solutions within selected technology verticals including cybersecurity.

Mindcore Technologies

Mindcore Technologies

Mindcore provide cyber security services, managed IT services and IT consulting services to businesses in NJ, FL, and throughout the United States.

Skillfield

Skillfield

Skillfield is a Melbourne based Cyber Security and Data Services consultancy and professional services company.

SignPath

SignPath

SignPath provides leading-edge software and SaaS services that ensure code integrity from development to distribution.