The Biden Administration published its long-expected National Cybersecurity Strategy on March 2, 2023.
The nearly 40-page document introduces the Biden Administration’s vision of an increasingly targeted, intentional and funded approach to cyber defense that emphasizes the need to protect American infrastructure and create a digital ecosystem that is:
Defensible, where cyber defense is overwhelmingly easier, cheaper and more effective;
Resilient, where cyber incidents and errors have less of a large-scale or lasting impact; and,
Values-aligned, where our most cherished values shape—and are in turn reinforced by— our digital world.
Starting with George W. Bush, every administration has released some type of formal cybersecurity strategy at least once per term.
The most recent strategy, released in 2018 by the Trump Administration, focused on pre-emptive initiatives against domestic and international threat actors, as well as concerns over foreign entities, specifically Chinese manufacturer Huawei.
The Biden Administration’s cybersecurity strategy seeks to build and enhance collaboration in cyberspace based on the five-pillar approach below:
Defend Critical Infrastructure – We will give the American people confidence in the availability and resilience of our critical infrastructure and the essential services it provides.
Disrupt and Dismantle Threat Actors – Using all instruments of national power, we will make malicious cyber actors incapable of threatening the national security or public safety of the United States.
Shape Market Forces to Drive Security and Resilience – We will place responsibility on those within our digital ecosystem that are best positioned to reduce risk and shift the consequences of poor cybersecurity away from the most vulnerable to make our digital ecosystem more trustworthy.
Invest in a Resilient Future – Through strategic investments and coordinated, collaborative action, the United States will continue to lead the world in the innovation of secure and resilient next-generation technologies and infrastructure.
Forge International Partnerships to Pursue Shared Goals – The United States seeks a world where responsible state behavior in cyberspace is expected and reinforced, whereas irresponsible behavior is isolating and costly.
While the Biden Administration continues to prioritize cyber defense investments and actions against hacker groups, the third pillar of Shape Market Forces to Drive Security and Resilience brings what is described as “fundamental changes to the underlying dynamics of the digital ecosystem”.
This translates into a potential push for increased regulatory and federal oversight on owners and operators of critical infrastructure, specifically technology and software manufacturers.
In her recent Carnegie Mellon University appearance, CISA Director Jen Easterly went in-depth on the topic of how manufacturers have normalized the idea that technology is inherently dangerous, rather than be held accountable for producing flawed software and products.
Citing the normalization of Patch Tuesday, a monthly day when software developers push out security updates, Director Easterly urged those in the audience to evaluate the accident boundary we are willing to walk along in exchange for cheaper and faster technology.
While additional regulations and fines may sound like an overreach, the overall goal seems to be to establish some sort of security standard, like the mobility engineering industry, that will create a stronger infrastructure and user base by establishing minimum cybersecurity measures.
“It just reimagines the American cybersocial contract…we are expecting more from those owners and operators in our critical infrastructure,” said acting National Cyber Director Kemba Walden, regarding the focus on technology manufacturers and software developers.
The strategy also reaffirms the Biden Administration’s focus on ransomware attacks, which is now officially classified as a national security threat (as opposed to a criminal threat), and commits what is described as all elements of national power to counter ransomware with these four initiatives:
Leveraging international cooperation to disrupt the ransomware ecosystem and isolate those countries that provide safe havens for criminals;
Investigating ransomware crimes and using law enforcement and other authorities to disrupt ransomware infrastructure and threat actors;
Bolstering critical infrastructure resilience to withstand ransomware attacks; and
Addressing the abuse of virtual currency to launder ransom payments.
The complete policy is available to view here and the strategy will be led by the National Security Council, the White House’s Office of Management and Budget, and the Office of the National Cyber Director.
The Schneider Downs cybersecurity practice consists of experts offering a comprehensive set of information technology security services, including penetration testing, intrusion prevention/detection review, ransomware security, vulnerability assessments and a robust digital forensics and incident response team. In addition, our Digital Forensics and Incident Response teams are available 24x7x365 at 1-800-993-8937 if you suspect or are experiencing a network incident of any kind.
You’ve heard our thoughts… We’d like to hear yours
The Schneider Downs Our Thoughts On blog exists to create a dialogue on issues that are important to organizations and individuals. While we enjoy sharing our ideas and insights, we’re especially interested in what you may have to say. If you have a question or a comment about this article – or any article from the Our Thoughts On blog – we hope you’ll share it with us. After all, a dialogue is an exchange of ideas, and we’d like to hear from you. Email us at [email protected].
Material discussed is meant for informational purposes only, and it is not to be construed as investment, tax, or legal advice. Please note that individual situations can vary. Therefore, this information should be relied upon when coordinated with individual professional advice.