Resources

2023 National Cybersecurity Strategy Analysis

Written by: Sean D. Goodwin

The White House published their “National Cybersecurity Strategy” (referred to as the “Strategy” from here on) document on March 2, 2023. This document is intended to make the United States’ digital ecosystem defensible, resilient, and values-aligned. This strategy document comes on the heels of several other federal cybersecurity guidance and mandates, including:

In this article we break down the key points of the Strategy and provide some guidance on what impacts our clients may face.

The Strategy opens with a brief commentary from President Biden highlighting the importance of cybersecurity to the operation of our infrastructure and continuation of our country. He also notes that the federal government will seek to incentivize long-term investments in security and resilience.

After these opening comments we get into the meat of the Strategy, which begins by highlighting the environmental considerations that frame the Strategy.

Emerging Trends

As life continues to become more digitized, the available attack surface grows exponentially. This growth in attack surface is joined by increases in complexity and dependencies. Artificial Intelligence (AI) is also mentioned here, as the incorporation of AI into existing systems is yet to be seen.

Privacy is also an increasing concern as personal information is being digitized, not just from a records perspective, but also including audio and video perspective as things like telehealth, wearable devices, and biometric data capture and usage continue to expand.

Operational Technology (OT) and other critical infrastructure systems are also being “digitized” in the sense that the systems controlling this technology are also being brought online, which is introducing its own version of interconnectivity and complexity.

Malicious Actors

Malicious actors have moved from attacks like website defacement to damaging critical infrastructure and advanced espionage. These advanced attacks used to be “affordable” for only a few countries with massive resources but are now widely accessible to both state actors and private citizens the world over. There are the usual suspects mentioned here as the primary threats: China, Russia, Iran, and North Korea.

The focus on China’s threat is tied to their ability to surveil and influence U.S. cybersecurity via digital authoritarianism, and the impacts this may have on a global scale.

Russia’s impact continues to expand on their history of espionage, influence, and attacks on neighboring countries as well as global competitors, especially in the critical infrastructure space.

The threats presented by both Iran and North Korea show an increase in both capability and willingness to use cyberattacks to interfere with other nations and provide a means of funding via ransomware attacks and cryptocurrency theft.

Through all these avenues of attack the United States is seeing billions of dollars in losses annually.

Now that the stage is set for the Strategy, we are introduced to the two fundamental shifts and the five strategic pillars the Administration feels are necessary to realize its vision:

The Strategy says the United States needs to:

  • Rebalance the Responsibility to Defend Cyberspace
  • Realign Incentives to Favor Long-Term Investments

Rebalance the Responsibility to Defend Cyberspace

The Strategy seeks to have the best-positioned actors be better stewards of the digital ecosystem. A great quote pulled from this section is, “A single person’s momentary lapse in judgment, use of an outdated password, or errant click on a suspicious link should not have national security consequences.” If we replace “national security” with “business operational” can your organization stand up to the test? Have you built a security environment that can be defeated by a single user’s actions?

Realign Incentives to Favor Long-Term Investments

This shift identifies the challenge of balancing short-term imperatives against long-term visions and being able to defend the systems in place today while also preparing for a more defensible and resilient future. Compliance frameworks and mandates will not be the key to success here, as those take time to update, and are therefore always lagging being the threat environment. It will be interesting to see which “points of leverage” the Administration uses to incentivize security investment – the carrot of things like tax credits, or the stick of regulation.

The Strategic Pillars:

  1. Defend Critical Infrastructure
  2. Disrupt and Dismantle Threat Actors
  3. Shape Market Forces to Drive Security and Resilience
  4. Invest in a Resilient Future
  5. Forge International Partnerships to Pursue Shared Goals

1. Defend Critical Infrastructure

This will require a true collaborative effort between the public and private sectors. So much of the underlying infrastructure is in the private sector but has the potential to have a national impact. Here is another area where there is a focus on regulation, which will hopefully not be the primary lever used by the Strategy. What is great to see here is the notion that the Federal Government can better support the overall defense of our critical infrastructure by focusing on the defensibility and resiliency of their own systems. In this effort, they can provide a model for others to follow, including efforts to implement a Zero Trust Network Architecture (ZTNA) strategy, as well as modernizing some legacy technologies.

1.1 Establish Cybersecurity Requirements to Support National Security and Public Safety

This sub-objective focuses on creating “modern and nimble regulatory frameworks for cybersecurity tailored for each sector’s risk profile.” The goal here is to create regulatory requirements that are both operationally and commercially viable. These regulations will aim to be performance-based and will leverage existing cybersecurity frameworks (rather than ending up like this xkcd comic). There are some promising remarks as far as using tax structures to enable organizations to afford security investment.

1.2 Scale Public-Private Collaboration

There are existing pathways for public-private collaboration (SRMAs, ISAOs, and ISACs), but the Administration will seek to develop a shared vision of how to mature these collaborative efforts.

1.3 Integrate Federal Cybersecurity Centers

The Strategy will seek to provide opportunities for timely, actionable, and relevant information sharing within the sectors. Here both the speed and scale of information sharing will be a major focus point.

1.4 Update Federal Incident Response Plans and Processes

While many private organizations can respond to incidents on their own, when government assistance is needed or requested, there are often confusing or disjointed resources. Here the Administration will seek to provide clear guidance on the who, how, and when to contact Federal agencies. There is also a focus on increasing the awareness of incidents as they are reported, as well as sharing lessons learned post-incident.

1.5 Modernize Federal Defenses

Adoption of a ZTNA strategy is key to the future success of the federal systems, specifically in being able to defend against threats inside and outside the traditional network boundaries. There is also a focus on implementing what many consider to be foundational controls, such as: multi-factor authentication, data encryption, and asset management.

2. Disrupt and Dismantle Threat Actors

The U.S. will aim to build on past successes in targeting threat actors through various means (diplomatic, military, financial, law enforcement, etc.) to prevent sustained cyber campaigns.

2.1 Integrate Federal Disruption Activities

The defense strategy will be informed by lessons learned from past operations but will seek to increase the speed and volume of disruption campaigns. To aid in this, they will be working to develop platforms that allow for continuous and coordinated operations between the various agencies and private partners.

2.2 Enhance Public-Private Operation Collaboration to Disrupt Adversaries

This sub-objective seeks to ensure more information sharing from the private sector. Due to the size and scale, the private sector has much greater visibility into attacker campaigns. The Administration is encouraging increased information sharing so that Federal agencies with the means and authority to take disruption actions can assist.

2.3 Increase the Speed and Scale of Intelligence Sharing and Victim Notification

The Federal government will seek to increase the speed and scale of notification activities when they believe an organization is being targeted or has already been breached. Notably, this will include reviewing the existing declassification processes to provide timely, actionable intelligence.

2.4 Prevent Abuse of U.S.-Based Infrastructure

The Strategy is calling on service providers to make “reasonable attempts to secure the use of their infrastructure against abuse or other criminal behavior.” Implementation of the guidelines in EO 13984, “Taking Additional Steps To Address the National Emergency With Respect to Significant Malicious Cyber-Enabled Activities,” will be the focus.

2.5 Counter Cybercrime, Defeat Ransomware

The Strategy outlines four avenues available for defeating cybercrime:

  • Leveraging international cooperation to disrupt the ransomware ecosystem and isolate those countries that provide safe havens for criminals
  • Investigating ransomware crimes and using law enforcement and other authorities to disrupt ransomware infrastructure and actors
  • Bolstering critical infrastructure resilience to withstand ransomware attacks
  • Addressing the abuse of virtual currency to launder ransom payments

3. Shape Market Forces to Drive Security and Resilience

This pillar aims to encourage an ecosystem that promotes the security and resiliency of our digital environment. This will push liability in a direction that will move the Software Bill of Materials (SBOM) movement forward.

3.1 Hold the Stewards of our Data Accountable

The Administration seeks legislative efforts here to limit the ability to collect, use, transfer, and maintain personal identifiable information (PII), as well as provide strong protections for such data.

3.2 Drive the Development of Secure Internet of Things (IoT) Devices

The IoT Cybersecurity Improvement Act of 2020 is mentioned here to bolster the security and documentation related to IoT devices.

3.3 Shift Liability for Insecure Software Products and Services

Entities who fail to take reasonable precautions will hold more liability in the event of data loss or misuse. Legislation will seek to incentivize the adoption of secure software development practices as well as developing SBOMs.

3.4 Use Federal Grants and Other Incentives to Build in Security

Various legislative efforts have been passed that will be used to fund security efforts in building and maintaining infrastructure, as well as driving these cybersecurity best practices at scale.

3.5 Leverage Federal Procurement to Improve Accountability

Contractual agreements to follow cybersecurity best practices will be used to hold organizations accountable. The Strategy seeks to standardize the approach for setting, enforcing, and testing the cybersecurity requirements identified through the procurement process.

3.6 Explore a Federal Cyber Insurance Backstop

The Administration is investigating the feasibility of a federal insurance response to catastrophic cybersecurity incidents to have in place before an incident, rather than pursuing an aid package after the fact.

4. Invest in a Resilient Future

This pillar seeks to encourage the next generation of cybersecurity professionals through both the education lever (workforce availability and competency) as well as research and development and production efforts domestically.

4.1 Secure the Technical Foundation of the Internet

The Strategy seeks to secure BGP, DNS (it is always DNS), and the adoption of IPv6. Here the Federal government seeks to lead the way in adopting these best practices in their systems.

4.2 Reinvigorate Federal Research and Development for Cybersecurity

Funding will seek research and development in areas to prevent and mitigate the cybersecurity risks we face, including:

  • Artificial intelligence
  • Operation technology and industrial control systems
  • Cloud infrastructure
  • Telecommunications
  • Encryption
  • System transparency
  • Data analytics

4.3 Prepare for Our Post-Quantum Future

The balance between encouraging the research and creation of quantum computing capabilities and defending existing systems during the transition process will be critical. This will include support for quantum-resistant cryptography as well as identification and implementation of mitigation strategies.

4.4 Secure Our Clean Energy Future

The Strategy identifies the risks presented by “smart” devices in the energy generation and storage ecosystem, as well as a need for developing best practice guidelines to be implemented moving forward.

4.5 Support Development of a Digital Identity Ecosystem

NIST is leading research and development on digital identity solutions that will include a focus on privacy, security, civil liberties, equity, accessibility, and interoperability.

4.6 Develop a National Strategy to Strengthen Our Cyber Workforce

A separate “National Cyber Workforce and Education Strategy” document will be created to address the challenges in recruiting, hiring, and retaining cyber workforce professionals.

5. Forge International Partnerships to Pursue Shared Goals

This pillar seeks to expand the idea of collaboration to the international stage, especially as it relates to supply chain security.

5.2 Build Coalitions to Counter Threats to our Digital Ecosystem

The Strategy focuses on collaboration efforts, especially as many cyber threat actors operate in a transnational manner. The Strategy will look to build off the existing partnerships to enhance the cross-border data and intelligence sharing capabilities.

5.3 Strengthen International Partner Capacity

This includes both military-to-military partnerships and partnerships through public and private industry. The DOJ will lead the effort from a law-enforcement perspective and seek to strengthen cooperation, laws, and their enforcement capability.

5.4 Expand U.S. Ability to Assist Allies and Partners

The Strategy seeks to formalize a process to identify when providing cybersecurity support is in the best interest of the nation. NATO support efforts are listed as an example of existing processes and will likely receive additional attention and support.

5.5 Build Coalitions to Reinforce Global Norms of Responsible State Behavior

The Strategy seeks to normalize peacetime behaviors in cyberspace, including coordinated statements and responses to state actors who deviate from the accepted norms.

5.6 Secure Global Supply Chains for Information, Communications, and Operational Technology Products and Services

Supply chain issues will receive additional attention, including strategic collaborations between public and private sector groups. Specific to this Strategy, projects such as 5G and Open RAN will work towards development and adoption of open, interoperable, and standards-based networks. The Department of State will also be working to accelerate cross-border supply chain risk management efforts.

Finally, the Strategy wraps up with a summary of the implantation plan. A detailed plan will follow, but will include:

  • Assessing Effectiveness
  • Incorporating Lessons Learned
  • Making the Investment

Overall, the Strategy does capture many topics being discussed in the cybersecurity space in general. Moving towards a ZTNA, adoption of sound cybersecurity control practices, and holding the correct stakeholders responsible through things like SBOMs and contractual obligation enforcement. As noted before, it will be interesting to see which lever the Administration pulls on to drive the vision of this Strategy forward.