4 April, 2023
On March 2, 2023, the Biden-Harris Administration announced the National Cybersecurity Strategy. The objective of this strategy is to improve the security of the United States’ cyberspace, helping to build a digital ecosystem that is easier to defend. It is based on two fundamental shifts, the rebalancing of the responsibility to defend cyberspace and the realigning of incentives to favor long-term investments.
In this blog post I will go over the fundamental shifts that this strategy proposes, the five pillars that will be used to implement it, what it implies for the average consumer and software developers, and how you can ensure that your software is being developed securely.
What are the fundamental shifts of the National Cybersecurity strategy?
Rebalancing the responsibility to defend the cyberspace
This shift refers to reducing the burden that end-users have to mitigate cyber risks. In the US today, end-users of systems like individuals, small businesses, state and local governments, and infrastructure operators are often tasked with the responsibility to reduce risks. Thus, their actions can have significant repercussions for the country’s cybersecurity. Yet, these actors often have limited resources and competing interests, which hinders their ability to truly minimize risks.
Instead of this, this strategy aims to shift this responsibility towards organizations that are better positioned to reduce said risks. These being, the owners and operators of the systems that hold end-user data and, the technology providers that build and service these systems. Therefore, this strategy is proposing that companies become liable for security vulnerabilities in the systems that they own and/or developed.
Realigning incentives to favor long-term investments
This shift focuses on incentivizing decisions that will aim to make cyberspace more resilient and defensible over the long-term. Thus, it calls for a balance between the short-term actions that are required to secure the current systems, and the investing in and building of a future digital ecosystem that is defensible and resilient.
For this, the Federal Government lists several objectives that they hope to achieve, which are outlined below:
- Ensuring that market forces and public programs alike reward security and resilience.
- Building a robust and diverse cyber workforce.
- Embracing security and resilience by design.
- Strategically coordinating research and development investments in cybersecurity.
- Promoting collaboration in the supervision of the digital ecosystem.
What are the five pillars of the National Cybersecurity Strategy?
The proposed strategy seeks to develop and promote collaboration around five main pillars. Let us go over them.
Pillar One: Defend critical infrastructure
The government plans to protect critical infrastructure and enhance cybersecurity efforts by:
- Requiring cybersecurity measures for critical infrastructure providers to ensure public safety and national security.
- Increasing collaboration between private and public sectors to share threat intelligence.
- Combining federal cybersecurity centers with private and international partners.
- Improving the notification and escalation process to handle federal response incidents.
- Modernizing federal defenses with the adoption of Zero Trust (ZT) cybersecurity and operational technology systems and networks.
Pillar Two: Disrupt and dismantle threat actors
The government aims to make cyberattacks less profitable and improve collaboration between private and public sectors by:
- Combining technology disruption and ZT implementation to make cyberattacks more costly.
- Improving shared threat intelligence capabilities between the government and private sector.
- Enhancing breach notification to mitigate damages and speed up recovery.
- Holding Infrastructure-as-a-service (IaaS) providers to a higher standard and considering them critical infrastructure.
- Taking a four-pronged approach to counter cybercrime and defeat ransomware, including international cooperation, law enforcement investigations, critical infrastructure resiliency, and addressing the abuse of virtual currency.
Pillar Three: Shape market forces to drive security and resilience
To improve cybersecurity and resilience, the government has set strategic objectives to promote accountability and incentives for US technology companies:
- Hold data stewards accountable for securing personal data and protecting privacy rights.
- Develop secure Internet of Things (IoT) devices and adopt security practices to limit unauthorized access.
- Shift liability for insecure software products and services to companies and encourage the use of software composition analysis tools.
- Use federal grants and incentives to build security into products at every stage of the product life cycle.
- Leverage federal procurement to hold companies accountable for following cybersecurity best practices.
- Explore the possibility of a federal cyber insurance backstop.
Pillar Four: Invest in a resilient future
Investing in the future and securing the internet, cybersecurity intellectual property, and practitioner skills is essential. Here are six strategic objectives to achieve this:
- Align with industry leaders, academia, and allied nations to secure the technical foundation of the internet and increase global adoption rates while working towards global security standards.
- Reinvigorate federal cybersecurity research and development to drive investment in securing computing-related technologies, biotechnologies, and clean energy technologies.
- Prepare for the post-quantum future by planning for the transition to post-quantum cryptography and mitigating risks to traditional cryptography.
- Implement a “security by design” approach to clean energy technology and embed cybersecurity controls early in the design lifecycle to secure our clean energy future.
- Support the development of a digital identity ecosystem to enable trusted digital identities and accelerate innovation in phishing-resistant authentication solutions.
- Develop a national cyber workforce strategy to increase diversity and address unique challenges faced by critical infrastructure providers and government agencies through cybersecurity apprenticeships and training programs.
Pillar Five: Forge international partnerships to pursue shared goals
This pillar aims to strengthen international relationships and norms to have a more significant impact on cybersecurity initiatives. Here are the five strategic objectives to accomplish this:
- Build coalitions for global threat counteraction and shared intelligence gathering.
- Strengthen military partnerships with other allied nations.
- Expand US ability to assist allies and partners during cyberattacks.
- Establish and enforce cybersecurity norms for responsible state behavior.
- Secure global supply chains for information, communications, and operational technology products and services.
What does this strategy mean for the average consumer and software development teams?
For the average consumer, this strategy means that they may observe an increased focus on cybersecurity measures in sectors considered to be critical. This includes the energy, transportation, and healthcare sectors. This increased cybersecurity will be put in place to ensure the availability and resilience of essential services that consumers require. Additionally, this strategy will also promote the privacy and security of personal data as well as shift the liability for software products and services away from consumers.
For software development teams, this strategy implies that they may see a shift towards a more security-focused approach to software development practices. The strategy will emphasize reducing technical vulnerabilities and prioritizing cybersecurity research and development for future technologies. Finally, the strategy also aims to encourage the development of a diverse and robust national cyber workforce, suggesting that security-minded software developers will be sought after more in the future.
How can you ensure that you develop software securely?
As part of the Pillar Three explained above, one of the crucial points of this strategy is that it will now shift liability away from end-users and towards the companies that operate and own the systems that end-users use. This strategy demands that companies increase their accountability, which will require them to change software development practices to ensure the security of the software they develop. Therefore, companies will need to follow frameworks like the Secure Software Development Lifecycle (SSDLC) as they implement this strategy.
Lucky for you, at Codific we make your life easier by not only providing you with all the information you need to implement the SSDLC here, but also by giving you an easy-to-use and all-encompassing tool that you can use to implement it.
SAMMY is the name of this tool, learn all about it here.