On March 2nd, the Biden Administration released the much-anticipated National Cyber Strategy (NCS). The NCS outlines and defines the White House’s goals in cyber policy making and gives us insight into what the regulatory and political landscape of the industry will look like for at least the next two years.
Strategic plans can often be largely ignored by the private sector as a grand top-down plan that will take years to impact them, if ever. This is not the case with this new strategy. In fact, multiple departments have already come out with regulations or guidelines for their respective industries in step with this document including the EPA, CISA, and TSA. For this reason, organizations of all sizes and across every industry need to be aware of the strategy and understand what it means for their business.
The NCS includes five pillars addressing different concerns and plans the administration has regarding cybersecurity. The five pillars are:
- Defend critical infrastructure:
To defend critical infrastructure as defined by CISA, the federal government will roll out mandatory cybersecurity requirements, increase private-public partnerships, and collaborate with state, local, and tribal governments. It also will work to set a model for cybersecurity by investing in better federal cybersecurity and updating/modernizing federal systems and incident response plans.
Key takeaway: The most important aspect of these changes is the move to mandatory requirements. As it stands, for almost every industry, any cybersecurity regulations are voluntary. Similarly to the move from voluntary to mandatory incident reporting, the government has seen “inadequate and inconsistent outcomes” that result in disadvantaging the owners and operators of critical infrastructure who invest in cybersecurity. Mandatory requirements aim to fix this by leveling the playing field through effective and efficient regulatory frameworks that are tailored to each specific industry.
- Disrupt and dismantle threat actors:
To facilitate better disruption and dismantling of threat actors, the federal government will work to increase information sharing in both directions. This includes things like CISA’s new ransomware notification program and reviewing the federal declassification process to be able to quickly get information about a threat to the organizations, private or public, who need it.
Key Takeaway: This is a major shift away from the government expecting private companies to share incident information or opt-in to automated indicator sharing. In the past, the government had no process or ability to provide information collected through the various intelligence agencies to the private sector because of classifications and other legal barriers.
- Shape market forces to drive security and resilience:
The federal government will use its massive purchasing power to push technology companies toward the production of more secure products that prioritize data privacy while also shifting liability from the end users to vendors. It will use federal grants to fund research and development of secure products and launch an investigation into a federal cyber insurance backstop, particularly for small businesses who may be left out of the cyber insurance market.
Key Takeaway: For the non-vendor side of the house, this pillar will benefit with the shift in liability providing a greater shield to you and your customers. On the other side, vendors will need to take more responsibility for creating more secure products. This presents an opportunity as well for those already prioritizing security when going for federal contracts as using a platform like Consortium Networks’ Metrics that Matter® to prove adherence to major security frameworks like NIST and MITRE will be even more important.
- Invest in a resilient future:
The federal government will invest in federal cybersecurity research and development, quantum computing, clean energy technologies, the development of a digital identification ecosystem, and workforce development.
Key Takeaways: We will likely see additional grants and funding opportunities become available in these areas.
- Develop and expand international partnerships:
The White House will pursue international multilateral conversations around securing the global digital ecosystem and expanding international assistance capacity. It will work with its partners and allies to secure global supply chains and set international norms in cyberspace.
Key Takeaways: In pursuance of this goal, we expect to see plans similar to the Digital Red Cross and International Counter-Ransomware Initiative continue and expand. Increased international cooperation should lead to more standardized regulation across countries leading to a less complicated regulatory landscape for multinational companies.
Overall, the most salient changes we expect post-NCS are more mandatory regulations for critical infrastructure industries, greater focus on security in federal contracting, and greater liability for technology companies.