Unpacking the 2023 National Cybersecurity Strategy
The ink on yesterday’s release of the 2023 National Cybersecurity Strategy isn’t quite dry, but its contents are already being carefully scrutinized. As the first update to the nation’s cyber strategy in five years, it’s a significant roadmap update that can provide cyber professionals and business management alike with insight into the actions the Administration is likely to take in the near future.
While the document is full of information on the new goals and priorities, I've highlighted here a few key observations as I read through it.
Critical Infrastructure’s in the spotlight
It’s true that Critical Infrastructure has long been identified as a priority for the US cyber strategy. The previous 2018 National Cyber Strategy spent just a few columns on the topic, mainly committing to educating organizations of the risks to industrial control systems (ICS) and operational technology (OT), and promoting the benefits of cybersecurity investments. Notably, it didn’t assign these tasks to anyone in particular, instead calling for "the Federal Government" to lead it through private-public partnerships.
Yesterday’s new release has moved ICS and OT security to center stage. In the past five years, the effects (real and potential) of cyber attacks on Critical Infrastructure have been highly publicized - including the Colonial Pipeline hack and the Oldsmar, Florida water treatment plant incident. The new Strategy sees Critical Infrastructure now promoted to one of the five strategic Pillars, with much more specific objectives and assigned roles and responsibilities.
The 2023 Strategy calls upon state and local regulators to follow Federal guidance in updating their regulations to align with CISA and NIST standards. The Strategy further designates ONCD and OMB as the agencies responsible for harmonizing cross-border regulations. And finally, the Administration outlines its plan to use regulatory mechanisms as a way to “create a level playing field so that companies are not trapped in competition to underspend their peers on cybersecurity,” and encourages regulators to adjust rate-making to ensure that cybersecurity efforts can be properly resourced.
My takeaway: OT and critical infrastructure owners should start thinking carefully about how to update their operations to make them more resilient and secure. In particular, evaluate and consider adopting Zero Trust approaches to the OT environment that can minimize or even eliminate the impact to legacy operations.
Follow my lead
The Government is doubling down on its commitment to EO 14028, “Improving the Nation’s Cybersecurity,” which mandates the adoption of Zero Trust Architectures within the Federal government by the end of FY 2024.
In case the Federal Government’s intentions were at all fuzzy, yesterday’s National Cybersecurity Strategy makes them crystal clear: “the Federal Government will be a model for private sector emulation.”
And if the carrot of better security and aligning to Government standards isn’t enough, the new Strategy contains this stick: “[w]e will use Federal purchasing power and grant-making to incentivize security.” The Administration will use the power of the purse to make the private sector fall in line. Already, we are seeing agencies start to incorporate Zero Trust requirements into their RFPs.
And it won’t be enough to simply claim compliance with an RFP requirements. From the Strategy:
“The Civil Cyber-Fraud Initiative (CCFI) uses DOJ authorities under the False Claims Act to pursue civil actions against government grantees and contractors who fail to meet cybersecurity obligations. The CCFI will hold accountable entities or individuals that put U.S. information or systems at risk by knowingly providing deficient cybersecurity products or services, knowingly misrepresenting their cybersecurity practices or protocols, or knowingly violating obligations to monitor and report cyber incidents and breaches.” (emphasis added)
Download our exclusive e-Book now for expert insights and strategies
My takeaway: the private sector really needs to pay attention to this. This may have been obvious to companies in the Defense Industrial Base, but it’s becoming clear that any company looking to do business with the Federal Government - even small businesses - will find themselves needing to make representations about their cybersecurity practices and alignment with EO 14028. The CCFI makes sure these representations have teeth. Zero Trust is no longer a nice to have; it is quickly becoming table stakes.
Shifting the responsibility for security to product vendors
Who ever reads the fine print? Companies know that, and it’s standard practice to disclaim all warranties in the terms of service or license agreement to avoid potential liabilities that may result from the use (or misuse) of a product.
From the cybersecurity perspective, the nature of markets creates a disincentive to make products completely secure. Companies ship a minimum viable product, sometimes leaving out security entirely and requiring the end user to add external security controls. Companies cut corners to get to market quickly, creating security technical debt that is fixed much later, if ever. And "fast and loose" software and hardware design practices may leave products vulnerable to supply chain attacks, such as injection of malware into the official product.
Regardless of the reasons for these insecurities, product vendors are currently able to wave away liability through standard disclaimers, essentially saying: “it’s your fault for using our insecure product.”
In the press conference discussing the new Strategy, Kemba Walden, Acting National Cyber Director, summed up the current state of product development this way:
“We ask individuals, small businesses, and local governments to shoulder a significant burden for defending us all. We ask my mom and kids to be vigilant against clicking on malicious links. We expect school districts to go toe to toe with transnational criminal organizations, largely by themselves. This isn’t just unfair, it’s ineffective.”
According to the Strategy, the way to change this is through regulation: “the Administration will drive the development of an adaptable safe harbor framework to shield from liability companies that securely develop and maintain their software products and services.” Essentially, compliance with secure development standards is what shields you from liability.
This point might be one of the more contentious parts of the Strategy, as it has a major impact on the way companies design and develop products. It will certainly need new legislation from Congress. If the Administration is able to pull it off companies will need to overhaul how they develop and deliver products - which, let’s face it, would probably be a Good Thing for all of us.
My takeaway: companies need to watch these developments, but CEOs should also strongly encourage their engineering teams to get ahead of the curve. Even if new legislation fails to materialize, software and hardware products can only be safer if the source files are safe from being encrypted by ransomware, stolen by a contractor, or modified by a malicious insider or hacker. These types of incidents are absolutely material, and the company’s steps to secure intellectual property and the development processes really should be discussed at the board level.
There are plenty of other articles out there with insights on what the Biden Administration intends to do with the National Cybersecurity Strategy - I recommend you take an hour and read through the Strategy yourself. Even if it is not fully realized, accomplishing just a few of the pillars of this bold strategy will have a major positive impact on our nation’s cybersecurity. I look forward to seeing what new actions come from this announcement.