New US National Cyber Security Strategy

The White House has published a National Cybersecurity Strategy calling for comprehensive regulation of the nation's vital services. This is based on a growing recognition that the US economy can no longer rely upon voluntary cyber security measures which have failed to prevent the enormous economic losses caused by surging ransomware attacks.

The report provides a road map on how the US will defend against the rapidly growing number of online threats. 

"Cyber security is essential to the basic functioning of our economy, the operation of our critical infrastructure, the strength of our democracy and democratic institutions, the privacy of our data and communications, and our national defense," President Joe Biden writes in the introduction to the strategy. 

The 38-page document describes how the voluntary cyber security measures in place today have produced “inadequate and inconsistent outcomes” as it calls for stronger regulation to protect “critical infrastructure.” The White House also says that there have been "inadequate and inconsistent outcomes" across critical infrastructure like energy pipelines, food companies, schools and hospitals. The document comes on the heels of major cyber incidents, including a massive ransomware attack at the largest meat supplier and many more ransomware attacks.

This new strategy is led by the Office of the National Cyber Director in the White House, calls out China, Russia, Iran and North Korea for aggressive cyber tactics exhibiting "reckless disregard for the rule of law" and elevates ransomware attacks, such as the 2021 Russia-linked cyber attack on the Colonial pipeline. 

"For government, we have a duty to the American people to double down on tools that only government can wield, including the law enforcement and military authorities, to disrupt malicious cyber activity and pursue their perpetrators," Acting National Cyber Director Kemba Walden told reporters.

The report's authors appear to doubt that the US criminal justice system is able to deal with the challenge alone and it is likely that government will use its other powers, including sanctions, to defend against foreign cyber criminals. "We want to shrink the surface of the earth in which people can conduct malicious cyber activity with impunity, to put pressure on them and make their lives a little bit less pleasurable... if a criminal is restricted to living in Russia and can't leave the borders, then perhaps that might create a bit of a deterrent effect." a senior official has said. 

According to the White House strategy, it is China that "now presents the broadest, most active, and most persistent threat to both government and private sector networks and is the only country with both the intent to reshape the international order and, increasingly, the economic, diplomatic, military, and technological power to do so."

China's growing cyber capabilities have prompted growing concerns about attacks on US telecommunications, mass-pollution of American waterways and targeting of the US power grid.  "Attacks against our critical infrastructure in the event of a Chinese invasion of Taiwan is unfortunately not farfetched," CISA Director Jen Easterly recently said.   

The new cybersecurity roadmap is intended to shift the burden of cyber risk beyond consumers and ensure "companies are not trapped in a competition to underspend their peers on cybersecurity." The US governmnet has  already started cyber security mandates intended to protect oil and gas pipelines, and shore up rail and aviation sectors. 

Officials have previewed plans for the Environmental Protection Agency (EPA) to issue a rule for the water sector. A 2021 survey of 606 drinking and waste-water organisations by the Water Sector Coordinating Council found half spent less than 5% of their budget on IT security. "We must begin to shift liability onto those entities that fail to take reasonable precautions to secure their software while recognising that even the most advanced software security programs cannot prevent all vulnerabilities," the strategy read. 

Most recently, the US Marshals Service had a major cyber attack compromising some of its most sensitive information, including law enforcement materials, and the personal information of employees and potential investigative targets.   

The Congress has already passed laws requiring critical infrastructure owners and operators to report to the federal government within 72 hours in the event of a major cyber attack. "Where Federal departments and agencies have gaps in statutory authorities to implement minimum cyber security requirements or mitigate related market failures, the Administration will work with Congress to close them," according to the strategy. 

The New Strategy Has Five Elements  

Defend critical infrastructure:    The strategy will set minimum cybersecurity requirements for organisations across all critical infrastructure sectors, while also seeking to expand public-private collaboration and modernise federal networks.

Target and disrupt threat actors:   The administration has vowed to use "all instruments of national power" to target malicious actors, bring more private sector expertise to bear, and continue targeting ransomware "in lockstep with our international partners."  

Use market forces to improve security and resilience:    The administration wants a greater focus on "promoting privacy and the security of personal data" to drive data holders to better secure it, and it wants commercial developers and sellers of software and hardware to be liable if they fail to employ recognized security development practices.    

Invest in resilience:    The strategy highlights the need to reduce vulnerabilities in foundational technology, prioritise research and development for emerging technologies such as "post-quantum encryption, digital identity solutions and clean energy infrastructure," and expand the size of the nation's cyber workforce.

Enhance international partnerships:   Promoting "responsible state behaviour" as well as allies' own cybersecurity resilience and supply chain security remains a goal, as does attempting to impose costs on countries that engage in "irresponsible behaviour," according to the strategy.

Senior Director Cybersecurity Strategy at Menlo Security, Mark Guntrip, commented, ““There’s a lot to unpack in the Strategy, but a good place to start is building resilience in cyberspace. This is going to require organisations to lean on innovative technologies that act as alternatives to the traditional layers of security. We see that focusing on threat prevention ahead of detection and response makes good sense in order to improve overall security effectiveness. Technologies that provide isolation, deception solutions or data micro-segmentation could be starting points.”

National Cyber Director Chris Inglis stepped down from his post last month, retiring after almost two years at the helm of the agency responsible for coordinating a patchwork of agencies and offices tasked with safeguarding the nation's critical infrastructure. President Biden has yet to nominate his replacement. 

The White House:      GovInfoSecurity:     CBS:          BankInfoSecurity:     Forbes:     CNBC: 

You Might Also Read: 

Crackdown On Ransomware Criminals:

___________________________________________________________________________________________

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

• Individual £5 per month or £50 per year. Sign Up

• Multi-User, Corporate & Library Accounts Available on Request

• Inquiries: Contact Cyber Security Intelligence 

Cyber Security Intelligence: Captured Organised & Accessible