The White House released its long-awaited National Cybersecurity Strategy. Rather than more federal regulations, the new federal policy delegated much of the responsibility for digital security to tech companies.
The policy document advocates for more mandates on the companies that control the majority of the nation’s digital infrastructure. It also advocates for a broader government role in disrupting hackers and state-sponsored entities.
However, the new strategy creates a cybersecurity roadmap for new laws and regulations over the next few years which is aimed at helping the U. S. fight against emerging cyber threats. It sets the tone for long-term government actions that will:
- Explore a national insurance backstop in the case of a catastrophic cyberattack to supplement the existing cyber insurance market;
- Focus on defending critical infrastructure by expanding minimum security requirements in specific sectors and streamlining regulations;
- Treat ransomware as a national security threat, and not just a criminal issue.
This initiates a fundamental shift in the government’s cybersecurity vision. The shift in emphasis reflects how the US allocates roles, responsibilities, and resources in cyberspace.
It also rebalances the responsibility for cybersecurity by shifting the burden away from individuals, small businesses, and local governments. According to the policy declarations, the onus is instead on the most capable and best-positioned organizations to reduce risks for all of.
“The Strategy recognizes that government must use all tools of national power in a coordinated manner to protect our national security, public safety, and economic prosperity,” the White House said in its announcement.
A New Approach
The Biden-Harris strategy aims to strengthen collaboration around five pillars:
- Defend Critical Infrastructure;
- Disrupt and Dismantle Threat Actors;
- Shape Market Forces to Drive Security and Resilience;
- Invest in a Resilient Future through strategic investments and coordinated, collaborative action to lead the world in the innovation of secure and resilient next-generation technologies and infrastructure;
- Forge International Partnerships to Pursue Shared Goals
According to the policy statement, with these standards in place, the newly harnessed global allies and partners will make the United States’ digital ecosystem resilient, defensible, and values-aligned.
Federal Cybersecurity Requirements, Enforcement
According to CyberSheath CEO Eric Noonan, the federal government is visibly and meaningfully committing to expanding mandatory minimum cybersecurity requirements across critical sectors.
He went on to say that this is a welcome recognition of the federal government’s role and a complete abandonment of the original 2003 strategy, which stated that federal regulation would not be the primary means of securing cyberspace.
“It might have taken 20 years, but the federal government is now saying the quiet part out loud. The lack of mandatory cybersecurity minimums has failed, and regulatory mandates are coming, so get your house in order,” Noonan stated.
He added that the strategy makes it clear that where the government lacks the authority to mandate minimum standards, the administration will work with Congress to close those gaps and regulate the unregulated.
Noonan predicted that our ability to detect and defend against cyber threats would undergo a sea change. But only if agencies like the Department of Defense, the Securities and Exchange Commission, the Federal Communications Commission, and the rest of the federal government use their full regulatory authority to establish and enforce mandatory cybersecurity minimums for their respective contractors and suppliers.
“That is the single most impactful thing the federal government can do for our nation’s cyber defense, and this strategy does it,” he said.
Backing From the EU
Martin Riley, director of managed security services at cyber firm Bridewel, is pleased by the U.s’ changed attitude towards issues relating to cybersecurity.
“It is great to see these steps coming into effect. We in Europe have found ourselves in a place of leadership across many of these areas with regulations such as NIS and GDPR driving the agenda for years,” Riley told reporters.
That puts the European Union in a great position to assist and lead its US allies in the goal of cyber resilience, he added. “I look forward to digging into the details to see the incentives the U.S. government is going to apply so that these practices are taken up equally across all states and relevant sectors.”