The U.S. government recently released a new National Cybersecurity Strategy, detailing recommendations and changes to ensure a safe and secure digital ecosystem. The policy document from the White House represents several major shifts to defend cyberspace, stay resilient against attacks, and protect national security.
Since the last strategy came out during the previous administration in 2018, the cybersecurity landscape has changed dramatically. There has been a massive distribution in the workforce from the COVID-19 pandemic, as well as increased cyber intrusions and ransomware attacks. Despite the time in between official cybersecurity strategies, the current administration has not been lax in its consideration of the cyber landscape. This new document comes on the heels of conversations around the cybersecurity of IoT devices, new executive orders regarding cybersecurity, and legislation around cyber disclosure. So while the strategy is not new law or executive order, the strategy does come at a very timely and critical inflection point.
The 35-page document lays out a cyber roadmap using five key pillars to build and enhance collaboration. In these details, BitSight has identified two major strategy shifts:
- New regulatory requirements for critical infrastructure
- A new focus on reducing risks from insecure software & IoT devices
Cyber shift #1: New regulatory requirements for critical infrastructure
The document’s first pillar discusses the strategy around defending critical infrastructure. First, I will summarize this pillar, and then provide BitSight’s takeaways.
Strategy summary: Defend critical infrastructure
For years, there has been a debate in the U.S. about broadening cybersecurity regulation for critical infrastructure owners and operators. Broadly speaking, some critical infrastructure sectors—such as the financial sector and parts of the energy sector—have had years of cybersecurity regulations. Meanwhile, others—like water, food, and agriculture systems—have largely been voluntary. The new strategy calls for the development of new mandatory requirements for non-regulated entities calibrated to meet the needs of national security and public safety. Specifically, the strategy describes taking a performance-based approach.
BitSight takeaways: Defending critical infrastructure requires better visibility and measurement within government
Currently non-regulated entities will likely view new regulatory proposals as controversial, particularly in the absence of meaningful measurements and metrics to describe the current situation. Policymakers have long grappled with implementing an approach to cybersecurity rooted in data and metrics, rather than subjectivity or perception. Cybersecurity may be notoriously difficult to measure, but it’s exactly what is needed to be successful.
For years, BitSight has suggested that policymakers leverage data and measurement to understand the performance of critical infrastructure sectors and industries. Data-driven decisions are inherently more trustworthy and valuable, and it’s critical that the government rely on data and metrics to effectively implement this (or any) cyber strategy.
The strategy recognizes the importance of data-driven decision-making. According to the document, “In implementing this strategy, the Federal Government will take a data-driven approach. We will measure investments made, our progress toward implementation, and ultimate outcomes and effectiveness of these efforts.”
BitSight encourages national and international policymakers to accelerate their efforts in developing a baseline of cybersecurity performance across sectors and industries to make better decisions about new policies and regulations to protect sensitive data.
Cyber shift #2: Reducing risks from insecure software & IoT devices
The document’s third pillar discusses how to shape market forces to drive security and resilience. Let’s start with a summary of the third pillar in the strategy before reviewing BitSight’s takeaways.
Strategy summary: Shape market forces
Software makers and supply chains must take greater efforts to ensure their products are secure. Too many vendors today write insecure code, neglect best practices for secure development, or ship products with known vulnerabilities. The strategy aims to shift liability onto those vendors that don’t take precautions to secure their software, both within the federal government’s software supply chain practices and in consumer IoT devices. Not only that, but the administration calls for expansion of IoT security labels so consumers may compare protections.
BitSight takeaways: Security professionals must take proactive steps in vulnerability management while liability debate continues
The strategy suggests a major shift in national policy. BitSight predicts that cybersecurity professionals who have struggled to manage ever-growing vulnerabilities in their environment will welcome these changes with open arms. But any new liability measures will likely require legislation and a lengthy public debate. This won’t happen overnight, and it will be challenging to achieve.
In the meantime, security professionals need to focus more effort and resources on their vulnerability management programs. BitSight research confirms that organizations who struggle with vulnerability management and remediation are at greater risk of experiencing a cybersecurity incident compared with organizations with robust programs. Cybersecurity professionals must take the steps to identify and reduce vulnerabilities within their own systems while the liability debate progresses in the policy community.
But, it’s also clear that cybersecurity leaders must expand their view of vulnerability management. As the strategy indicates, companies can’t just focus on protecting themselves; they have to create more secure products for their customers and partners as well. BitSight observes cybersecurity leaders like Schneider Electric who are building sophisticated cybersecurity programs that focus on internal protection and external product security. The market values this holistic approach to vulnerability management and cybersecurity, and we believe this is a strategy that more organizations should consider adopting.
Additional cyber takeaways to consider
Although these two major shifts stood out the most to BitSight, we also noticed four additional takeaways to keep in mind.
- Using procurement to drive cybersecurity improvements. The strategy emphasizes the role that procurement can play in driving greater security from vendors and contractors. BitSight has observed that cybersecurity requirements in vendor contracting have long been an effective tool for addressing and improving cybersecurity posture in the commercial sector. We have also observed that many federal agencies, including NASA and the Centers for Medicare and Medicaid, leverage BitSight to address cyber risk during the vendor procurement process. We are encouraged that the strategy will consider “new concepts for setting, enforcing, and testing cybersecurity requirements” and agree that scalable approaches are optimal.
- Reducing ransomware risks. The strategy correctly calls ransomware a “threat to national security, public safety, and economic prosperity” which have disrupted all kinds of critical national infrastructure and essential services. While the U.S. government continues efforts to disrupt ransomware gangs and criminal threats, cybersecurity professionals must focus on improving their own programs to reduce their risk of becoming a victim. There are many evidence-based strategies that companies can take to lower their chance of becoming a ransomware victim.
- Disruption of adversary efforts. The strategy describes a series of efforts that the government will leverage to effectively disrupt malicious cyber activity. Private sector entities have unique insights and capabilities that can be brought to bear. For example, BitSight and Microsoft joined forces in 2020 against Necurs, the massive criminal botnet. More collaborative efforts between the government and private sector can help disrupt these activities.
- Lessons learned from major incidents. The strategy describes the importance of leveraging the recently created U.S. Cyber Safety Review Board to bring together cybersecurity leaders from both public and private sectors to generate insights from major events. But this is not the only repository of information detailing incident impact and likelihood. For example, BitSight and Marsh McLennan’s Cyber Risk Analytics Center collaborated to analyze thousands of cybersecurity incidents to understand how security performance impacted incident likelihood. Cybersecurity professionals can leverage these insights—along with the government’s lessons learned—to better protect their organizations.
BitSight commends the U.S. government for developing this comprehensive National Cybersecurity Strategy and looks forward to assisting policymakers and cybersecurity professionals alike with cybersecurity data and analytics to help achieve implementation and a more secure cyberspace.
To read the strategy in its entirety, visit https://www.whitehouse.gov/wp-content/uploads/2023/03/National-Cybersecurity-Strategy-2023.pdf