Because cybersecurity is a collective effort, enterprises need to clearly understand the U.S. National Cybersecurity Strategy. The strategy provides guidance for dealing with the dynamic and shifting nature of cyber threats while foreshadowing future government regulations and where funding will go. Public and private companies, including government contractors, should pay close attention to the strategy’s depiction of top cyber priorities and leading security practices to adopt.
The White House’s strategy is an extension of President Biden’s Executive Order on Improving the Nation’s Cybersecurity that was issued in May 2021. The Biden administration introduced the full cybersecurity strategy in March 2023, followed by a detailed implementation plan in July. Both documents are required reading for security professionals.
Actions from the implementation plan are detailed below; enterprises should address these actions to ensure a more resilient cyber environment.
Five pillars of cybersecurity strategy
The strategy proposes fundamental shifts in how the U.S. government allocates roles in cyberspace, while stressing the importance of improving cooperation between the public and private sector, especially in areas such as information sharing. One significant takeaway from the strategy is a shift in responsibility for defending cyberspace away from private individuals, small businesses and local governments to organizations that are most capable of reducing cybersecurity risks.
The strategy and implementation plan also signal a shift in tone by the government, from guidance to, at times, a more punitive stance in dealing with cyber obligations. Whereas previous communications were largely focused on regulations and compliance, in some areas of the implementation plan the government uses some very proactive language and vocabulary. For example, under Strategic Objective 3.5, the government asserts it intends to leverage the False Claims Act to “pursue civil actions against government grantees and contractors who fail to meet cybersecurity obligations.” In addition, terms in the implementation document such as “disrupt and dismantle” suggest a more offensive posture by the government to actively reduce ransomware risks and the threat from cyber actors around the world.
For example, in late August, FBI security professionals took control of the global infrastructure of the Qakbot botnet that was responsible for generating around $58 million in ransoms paid by victims. The multinational operation marked one of the largest-ever U.S.-led enforcement actions taken against cybercriminals. This comes on the heels of the government proactively patching Microsoft Outlook services in early 2022.
Recognizing that government must use all tools of national power in a coordinated way to protect the public, the strategy is built on five pillars:
1. Defend critical infrastructure. The strategy focuses on the importance of those responsible for critical infrastructure meeting minimum cyber requirements, not just in the U.S. but globally. To do so, it is important for enterprises to have a clear definition of their role as critical infrastructure of the U.S. and what obligations exist around defending that critical infrastructure from cyber threat actors.
The government says that expanding the use of minimum software requirements in critical sectors and harmonizing regulations will be used to ensure national security and public safety. Maintaining operational resilience is emphasized, and the strategy states a commitment by the Biden administration to identify security gaps and work with industry, Congress and regulators to close them.
2. Disrupt and dismantle threat actors. The National Cybersecurity Strategy section signals a more proactive role by the government and this is emphasized in the implementation plan, which specifies making “malicious actors incapable of mounting sustained cyber-enabled campaigns that would threaten the national security or public safety of the United States.” The implementation part of the strategy spells out a plan to integrate federal disruption activities, propose legislation to help disrupt cybercrime, and enhance collaboration between public and private entities.
A key provision under the objective aimed to increase the speed and scale of information sharing and victim notification is an intention by the government to remove barriers to delivering threat intelligence and data to critical infrastructure operators. For example, the government proposes the use of nimble, temporary cells comprised of a small number of trusted operators using a virtual collaboration platform to rapidly disrupt adversaries. This aligns with the government’s call for a more collaborative environment by creating better communication channels between the private sector and relevant government agencies.
3. Shape market forces to drive security and resilience. To address the challenges of continued disruptions, the strategy proposes to “hold the stewards of our data accountable for the protection of personal data,” as well as “reshape laws that govern liability for data losses and harm caused by cybersecurity errors.” A key part of this section is the strategic objective covering a shift in liability for insecure software products and services from individual users and small organizations to “those entities that fail to take reasonable precautions to secure their software.”
As positive reinforcement, it is stated that the government will “drive the development of an adaptable safe harbor framework to shield from liability companies that securely develop and maintain their software products and services.” The government’s willingness to use the False Claims Act to assess large fines for failure to comply with cybersecurity requirements in federal contracts and grants, coupled with the recent increase in the incentivization of whistleblowers, sends an important signal regarding cybersecurity liability, at least in the government sector.
4. Invest in a resilient future. This set of initiatives presents the government’s intention to prioritize R&D of next-generation cybersecurity technologies to make the digital ecosystem more resilient and foster the development of a diverse and robust national cyber workforce. For its part, the government states a commitment to fund federal grant programs that promote investments in new infrastructure that are secure and resilient.
More specifically, the implementation plan focuses on leading the adoption of network security best practices, such as prioritizing post-quantum cryptography, and promoting the use of open-source software security. One initiative proposes the development of a cyber workforce and education strategy; any commitment to invest in adding more cyber practitioners to the workforce is beneficial in the fight against cybercrime.
5. Forge international partnerships to pursue shared goals. With a clear acknowledgement that fighting cyber threats requires a concerted global effort, the government says it seeks a world where responsible state behavior in cyberspace is expected and irresponsible behavior is isolating and costly. This is to be accomplished by leveraging international partnerships and securing global supply chains for technology products and services.
Government cybersecurity efforts in countries across the globe vary, with significant regional initiatives being implemented including the European Cybersecurity Competence Centre and the ASEAN Cybersecurity Cooperation Strategy. Knowing that there will be an increase in the obligation to share information, enterprises based in the U.S. with worldwide operations need to understand the balance that needs to be struck between meeting local cybersecurity reporting requirements and staying true to U.S. cyber goals.
The implementation plan adds a sixth pillar of implementation-wide initiatives designed to monitor the effectiveness of the strategy. This includes developing annual reports for the President of the United States and Congress that detail follow-on actions, and applying lessons learned from the implementation plan. Going forward, the effectiveness of the strategy will be measured by metrics such as reductions in cyber incidents, increased sharing of threat intelligence, and enhanced compliance with regulations and standards.
Cybersecurity strategy action plan
Reading, understanding and acting on the strategy give enterprises the opportunity to take stock of their own security posture, adopt best practices and prioritize IT investments. A key takeaway is that while the government intends to expand the use of regulations to enforce the use of minimum cyber requirements and standards on critical infrastructure, the strategy also indicates incentivizing good cyber behavior.
The following actions should be taken, especially for organizations that might not be as cognizant of the government’s cybersecurity policy as more established companies:
- Incorporate the strategy into your cybersecurity roadmap. Those organizations that don’t already have a well-crafted cybersecurity strategy or roadmap should start developing one now. Enterprises that have a solid strategy need to make sure it addresses the five pillars of the national strategy and implementation, especially around adhering to best security practices. Key areas of focus should include standards, threat intelligence, information sharing, incident reporting and secure software development.
- Be aware of impending minimum cybersecurity requirements. Enterprises must be fully cognizant of developments around the strategy’s stated intention of expanding minimum cybersecurity requirements (see NIST (National Institute of Standards and Technology) Cybersecurity Framework 2.0) and how their cybersecurity program measures up. Engaging in this is not only a best practice for regulatory compliance reasons but a critical necessity, because doing so will help enterprises protect data, mitigate risk and safeguard reputation and trust.
- Prioritize the development of secure software. Enterprises need to have proper processes and duty of care in place to enable the delivery of software that meets and exceeds minimum software development requirements pertaining to security. For one, the latest technology and best security practices need to be embedded in the software development process. At the very least, enterprises should be following the guidelines provided in the NIST Secure Software Development Framework.
- Understand and plan for SBOMs. It is crucial to develop a software bill of materials (SBOM) for each stage of the development process to provide visibility of all software components. SBOMs can be used as a valuable tool for meeting security requirements, especially those related to risk management, supply chain security, and maintaining required transparency. Organizations should also plan for the receipt and use of SBOMs to augment traditional vulnerability and attack surface management processes.
- Foster a collaborative security environment. Enterprises need to be aware of their obligations around reporting cybersecurity incidents and step up collaboration efforts in areas such as intelligence sharing. Organizations should know how they can leverage the power of the U.S. government to make the cybersecurity ecosystem better. Develop a plan of action for sharing threat intelligence and stay abreast of the activities of the Cyber Threat Intelligence Integration Center.
As a leading global IT services provider, DXC Technology is uniquely positioned to support the cybersecurity initiatives of the U.S. federal government and to help our customers. DXC works closely with our global partner ecosystem to weave cyber resilience into our customers’ IT security, operations and culture. Leveraging the experience of thousands of experienced cybersecurity professionals, DXC offers a wide range of advanced security solutions to public and private organizations worldwide, as well as hosting and software development services that incorporate best security practices.
Be cybersecurity strong
The National Cybersecurity Strategy should serve as a driving force, motivating organizations to reinvigorate their commitment to cybersecurity. Companies should elevate cybersecurity as a key business risk and boardroom topic, recognizing its potential to cause significant harm and financial setbacks.
In short, organizations need to heed the guidelines detailed in the strategy by implementing best cybersecurity practices and be able to demonstrate the ability to deliver secure products and software, or risk being held accountable. This means understanding the entire IT estate including where there are vulnerabilities, knowing how to best protect it, and making the investments required to be cybersecurity strong.