On March 1, 2023, the Biden-Harris Administration released the National Cybersecurity Strategy. Its goal is to provide a safe, reliable, and secure Internet for both business and personal use. It outlines several goals including economic security and prosperity, respect for human rights and fundamental freedoms, trust in democracy and democratic institutions, and an equitable and diverse society. In the introduction, the President writes that this strategy is designed to better secure cyberspace and ensure the United States is in the strongest possible position to realize all the benefits and potential of our digital future.”1
This is in line with several cybersecurity initiatives including the President’s Executive Order on Improving the Nation’s Cybersecurity from May 2021, which was followed by the Infrastructure Investments and Jobs Act, or “Bipartisan Infrastructure Law,” providing $550 billion through 2026 to invest in new infrastructure. It replaces the 2018 National Cyber Strategy while continuing the momentum from other initiatives, aligning priorities, and forming collaborative defense.
The strategy includes an introduction that covers the strategic environment, which discusses emerging trends in cyberspace. It outlines that as software and systems are becoming more complex, they cannot continue to be placed on older and less secure technology. The strategy calls out the importance of protecting operational technology (OT) that is digitally connected and used for many factories, power grids, and water treatment facilities. It also recognizes that advanced wireless and Internet of Things (IoT) are becoming more essential.
The strategy also recognizes the threats to a free Internet. Malicious actors have evolved from cybercrime to a more strategic, state-run strategy. It calls out China, Russia, Iran, and North Korea and their pursuit of cyber objectives that counter US and allied interests as well as accepted international norms.
In comparison to the previous strategy, the 2023 version calls out two fundamental shifts on how we will allocate roles, responsibilities, and resources. These include:
- Rebalancing the responsibility to defend cyberspace: Understanding that not everyone has the same resources and capabilities, the plan will ask for the most capable and best-positioned actors to make the Internet more secure. It notes that the responsibility of protecting these systems belongs to the owners, operators, and technology providers.
- Realigning incentives to favor long-term investments: In addition to a shared responsibility to defend, it also outlines incentives for a stronger cyber workforce, more security in design, and collaborative research.
The intro closes with the plan to build this strategy on existing policies and initiatives for a stronger and safer internet.
The strategy includes five pillars that are critical for this vision:
- Defend critical infrastructure
- Disrupt and dismantle threat actors
- Shape market forces to drive security and resilience
- Invest in a resilient future
- Forge international partnership to pursue shared goals
Pillar 1, which includes supporting objectives, is explored further below. Pillars 2 and 3 will be explored in Part 2 of the series, and we’ll explore pillars 4 and 5 in Part 3.
Pillar 1: Defend Critical Infrastructure
This pillar focuses on a strategy to defend the systems and assets within our critical infrastructure. This strategy will promote a collaboration between the private and public sectors, further develop existing regulations, create new regulations, and develop frameworks to fill any identified gaps within existing regulations. It is supported by the following five objectives:
- 1.1 Establish Cybersecurity Requirements to Support National Security and Public Safety: Establishes guidelines for requirements of new and existing regulations to secure critical infrastructure. Minimum requirements for regulations will be performance-based and will ensure a level playing field among competitors when it comes to cybersecurity spending.
- 1.2 Scale Public-Private Collaboration: Outlines a structured model of support between public and private sectors. Collaboration efforts in this model will require the use of technological solutions to enhance data sharing between sectors and coordinate defensive efforts. This allows for multi-directional sharing that enables a faster threat response.
- 1.3 Integrate Federal Cybersecurity Centers: Federal Cybersecurity Centers will serve as a node for collaborative capabilities across homeland defense, law enforcement, intelligence, diplomatic, economic, and military missions. These centers will lead in intragovernmental coordination efforts to be able to effectively support non-federal partners.
- 1.4 Update Federal Incident Response Plans and Processes: CISA will lead the process to update the National Cyber Incident Response Plan (NCIRP). As part of the NCIRP, the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCA) will aid in the ability to respond to incidents effectively. After an incident, the Cyber Safety Review Board (CSRB) will bring together leaders in the public and private sectors to review major incidents so that the community can benefit from lessons learned, as established in EO 14028 “Improving the Nation’s Cybersecurity.”
- 1.5 Modernize Federal Defenses: IT and OT systems within the federal government that are incapable of implementing the zero-trust architecture strategy within a decade, or otherwise mitigate risks to those that cannot, must be replaced within that decade. Additionally, IT and OT systems within the federal government that are not defensible against sophisticated cyberattacks must also be replaced. The Office of Management and Budget (OMB) will coordinate with CISA to develop a plan of action secure Federal Civilian Executive Branch (FCEB) systems and with the NSA to develop a plan to implement the enhanced cybersecurity requirements of NSM-8.
In Part 2 of the series, we will explore pillars 2 and 3 of the National Cybersecurity Strategy. These pillars aim to address and disrupt threat actors as well as improve cyber resilience more effectively.
As cybersecurity becomes increasingly critical to business continuity, staying aware of trends and building an effective strategy can seem daunting. Consider hiring a trusted partner to advise on your cyber strategy and ensure your organization is protected.