On March 2, 2023, the Biden administration announced the release of a new National Cybersecurity Strategy, outlining the government’s approach to strengthen cybersecurity governance, improve online safety for citizens and build a fortified digital ecosystem resilient to attacks.
Whether your organization resides in the public or private sector, the National Cybersecurity Strategy will have implications for your business. Below, we’ll explore everything you need to know.
Key takeaways from the National Cybersecurity Strategy
“Cybersecurity is essential to the basic functioning of our economy, the operation of our critical infrastructure, the strength of our democracy and democratic institutions, the privacy of our data and communications, and our national defense.” – Joe Biden
The National Cybersecurity Strategy document is based around five pillars, each with its own specific objectives. As Forrester notes, the strategy document highlights the following at a top-level:
- Minimum cybersecurity requirements will be implemented across industries.
- Technology is considered critical infrastructure.
- Protecting digital ecosystems is crucial to national security.
- Private enterprises have a vital role to play in defending national security from a cyber standpoint.
All of this is to say that the responsibility of public and private firms to defend against data exfiltration, leakage and cyber-attacks is increasing.
As the Harvard Business Review recently notes: “The time for private companies voluntarily opting into cybersecurity has long passed. Instead, the new strategy promises to support new regulatory frameworks that will shift liability and create incentives for private firms to defend against critical vulnerabilities.”
So, what exactly is expected of organizations as part of the Strategy? The answer lies in the five pillars, which we’ll look at in detail below.
An overview of the five pillars
1: Defend critical infrastructure
The private sector plays a pivotal role in providing digital services to citizens and federal organizations. Prior to the release of the Strategy, the organizations that owned and managed these technologies were often self-governed in terms of cybersecurity.
While regulations like HIPAA, GDPR and CCPA made some headway to enhance data protection, there is still no cohesive, overarching regulation relating to cybersecurity in the US. But with the Strategy, that could change in the near future, as the strategic objectives show:
Strategic objective 1.1 — establish cybersecurity requirements to support national security and public safety
Critical infrastructure represents a tempting target for nefarious actors, especially those motivated to commit acts of cyber warfare. Aware of the threat against critical infrastructure providers, the National Cybersecurity Strategy outlines plans to expand regulations in this area to ensure consistent, strong cybersecurity practices at scale.
Strategic objective 1.2 — scale public-private collaboration
The administration emphasizes the need for collaboration between private sector and federal entities to promote best practice, enhance threat intelligence and prevent future attacks.
Strategic objective 1.3 — integrate federal cybersecurity centers
Numerous departments already exist with responsibilities to defend critical infrastructure. In order to improve effectiveness and breakdown silos, the administration intends to fuse federal cybersecurity centers together. The Joint Cyber Defence Collaborative (JCDC) at CISA is the first step towards this vision.
Strategic objective 1.4 — update federal incident plans and processes
Most large organizations invest both time and resources in creating excellent incident response plans. However, things often go awry when it comes to contacting law enforcement. The sheer number of agencies out there both at the national and local level makes a unified federal response near impossible. The government has recognized that and, as a result, the Strategy outlines plans to streamline the processes, procedures, and systems for reporting incidents to law enforcement.
Strategic objective 1.5 — modernize federal defenses
The government has issued plans to implement a zero-trust approach across its networks and applications. This should come as no surprise given that, in the cloud-first world, maintaining data security is more difficult than ever. Migrating to zero trust with help federal bodies better protect sensitive information while tackling both insider and outsider threats.
2: Disrupt & dismantle threat actors
As cyberattacks mount, pillar two aims to make mounting successful attacks more difficult for would-be attackers, using a combination of disruptive technologies, offensive efforts and information sharing:
Strategic objective 2.1 — integrate federal disruption activities
The administration plans to “defend forward”, using strategic insights and disruptive technological platforms to discover and disrupt malicious actors at scale.
Strategic objective 2.2 — enhance public-private operational collaboration to disrupt adversaries
The private sector has a wealth of information about adversary activity. To prevent malicious attacks, the government understands it must collaborate with private sector organizations to build a complete picture of the threat landscape. As a result, the Strategy outlines plans to increase real-time collaboration.
Strategic objective 2.3 — increase the speed and scale of intelligence sharing and victim notification
The government plans to increase the effectiveness and speed of its breach notification program, so that organizations being targeted or already compromised by an attack can take swift action.
Strategic objective 2.4 — prevent abuse of us-based infrastructure
The Strategy considers cloud infrastructure as critical infrastructure, noting that infrastructure-as-a-service providers will be subject to more stringent regulations in relation to cybersecurity. .
Strategic objective 2.5 — counter cybercrime, defeat ransomware
Ransomware defense remains a strategic priority. The administration will take a multi-pronged approach to deter ransomware attacks:
- International cooperation
- Law enforcement investigations of ransomware actors
- Critical infrastructure resiliency
- Addressing abuse of virtual currency
3: Shape market forces to drive security & resilience
Pillar three puts the focus on incentivizing cybersecurity, both among organizations that need to implement better cybersecurity practices and the developers of cybersecurity solutions and products.
Strategic objective 3.1 — hold the stewards of our data accountable
Citizen data is highly sensitive in nature and must be collected, stored and processed carefully. The administration has therefore noted its support of legislative efforts to govern how organizations utilize personally identifiable information. It also mentions plans to create national requirements in this area, supported by NIST – although the details are so far vague.
Strategic objective 3.2 — drive the development of secure iot devices
Internet of Things (IoT) devices have a longstanding poor reputation for cybersecurity. The government plans to enhance IoT security through several tactics, including the expansion of IoT labelling programs.
Strategic objective 3.3 — shift liability for insecure software products and services
Aware that poor software security is often due to putting time pressures above security, the administration has made a pivotal shift: companies that fail to adequately protect their software products and services during the development lifecycle will be held liable for vulnerabilities. The legislation surrounding this objective is yet to be announced.
Strategic objective 3.4 — use federal grants and other incentives to build in security
The government will offer grants to help improve the cybersecurity of critical infrastructure. It will also invest money in R&D programs to strengthen security and resilience throughout the critical infrastructure lifecycle.
Strategic objective 3.5 — leverage federal procurement to improve accountability
Companies that work with the federal government must live up to their contractual commitment or they could be charged under the Strategy. Under the False Claims Act, the Department of Justice can take civil action against vendors or organizations that put the federal government’s cybersecurity at risk due to poor cybersecurity practices.
Strategic objective 3.6 — explore a federal cyber insurance backstop
The federal government will explore the role it may play in supporting the cyber insurance market.
4: Invest in a resilient future
The US wants to be a leader in technology and innovation both now and in the future. As part of that, the Strategy outlines plans to safeguard the future of our digital ecosystem.
Strategic objective 4.1 — secure the technical foundation of the internet
The administration is keen to eradicate systemic vulnerabilities within the Internet by collaborating with industry leaders, academia, and allied nations to create global cybersecurity standards with interoperability.
Strategic objective 4.2 — reinvigorate federal research and development for cybersecurity
The government understands that technology is a fast-moving discipline. As new technologies like artificial intelligence and quantum computing develop, it plans to drive cybersecurity innovation and investments in these areas, so that newer technologies are protected from attack.
Strategic objective 4.3 — prepare for our post-quantum future
Quantum computing could break many of the encryption standards in use today. As a result, the administration is prioritizing investment in replacing hardware, software and applications that could be compromised by quantum computing. It urges the private sector to follow suit.
Strategic objective 4.4 — secure our clean energy future
The move towards a clean energy future heavily relies on cloud-based technologies and applications, all of which are vulnerable to exploitation by malicious actors. Recognizing this, the administration has committed to a security-by-design approach to the new generation of software and hardware systems that will fuel the US electric grid.
Strategic objective 4.5 — support development of a digital identity ecosystem
With identity theft on the rise, the government will accelerate efforts to create a reliable, secure and trustworthy digital identity ecosystem. The details of how this will be put into action are yet to be released, but it is certainly an interesting space to watch.
Strategic objective 4.6 — develop a national strategy to strengthen our cyber workforce
The cybersecurity talent shortage has been well-documented. It’s something that has plagued the industry for years. The administration plans to bolster the talent pipeline through a mixture of apprenticeships, training programs and workplace initiatives to enhance diversity within the sector.
5: Forge international partnerships to pursue shared goals
The final pillar within the Strategy focuses on strengthening international relationships in order to improve both national and global online safety.
Strategic objective 5.1 — build coalitions to counter threats to our digital ecosystem
Alongside the United Nations and other bodies, the administration is working on a vision for the future of the internet, built around safeguarding human rights, maintaining privacy and championing democracy. As part of working towards vision, the US hopes to collaborate with other bodies to improve threat intelligence sharing.
Strategic objective 5.2 — strengthen international partner capacity
The administration plans to strengthen military-to-military partnerships with international allies to strengthen cybercrime operations.
Strategic objective 5.3 — expand us ability to assist allies and partners
Cyber-attacks are a problem in most countries across the world. The US recognizes this and, as a result, promises to support allies and partner nations impacted by cyber incidents.
Strategic objective 5.4 — build coalitions to reinforce global norms of responsible state behavior
The UN has established certain norms for peacetime, although some nations fail to uphold these agreements. As part of its commitments, the government promises to hold irresponsible states accountable for malpractice.
Strategic objective 5.5 — secure global supply chains for information, communications, and operational technology products and services
With supply chain attacks on the rise, the administration plans to work with both federal, private and international organizations to put in place best practices that boost supply chain resilience.
How Polymer DLP can help your organization align with the National Cybersecurity Strategy
The National Cybersecurity Strategy is a multi-faceted approach to boosting the US’ cybersecurity resilience, with many takeaways for private and public sector organizations.
Clearly, the administration expects companies to take more responsibility for upholding data security and mitigating cyber-attacks. As noted in pillar one, one way to achieve this is through embracing a zero-trust approach.
And that’s where we can help. Polymer data loss prevention (DLP) brings zero-trust security to the cloud applications your organization uses everyday, including Slack, Teams and Google Workspace––but to name a few.
Using natural language processing (NLP) and a self-learning engine, Polymer DLP autonomously discovers, classifies and secures sensitive data like personally identifiable information and protected health information across the cloud.
Through contextual analytics, it ensures that only verified, authorized users interact with your sensitive information in a compliant way.
As the pressure mounts on organizations to uphold cybersecurity best practice, Polymer DLP is the best way to maintain data security in your cloud apps.
Ready to get started? Discover the sensitive data lurking unprotected in your cloud apps for free.