The White House kicked off March with the release of its National Cybersecurity Strategy, aimed at making fundamental shifts in how the country approaches cybersecurity. This strategy is the result of a monthslong process coordinated by the Office of the National Cyber Director, the principal advisor to the President on cybersecurity policy and strategy, and cybersecurity engagement with industry and international stakeholders.
Aimed at better protecting the American people, businesses, and government from cyberattacks, the strategy puts more responsibility on tech and software companies to ensure their products are secure.
With so many pieces of everyday life now interconnected via computers, cybersecurity is becoming even more front and center. “Ten years ago . . . nobody cared,” stated Chris Bronk at the University of Houston. “I mean, it’s one thing for your computer to fail and eat your thesis, it’s another problem if your computer fails and crashes your car.” Similarly devastating would be a hospital computer system crashing, or a power grid going down. The United States was already afforded a taste of these concerns when the Colonial Pipeline was shut down in May 2021, causing a run on gasoline along the East Coast.
What the Strategy Says
Current practices allow sectors such as utilities, food and agriculture, and health care to adhere to voluntary cybersecurity standards, which has unfortunately led to inconsistent outcomes. This new strategy calls instead for minimum security standards across multiple economic sectors and is built on five primary pillars:
- Defend critical infrastructure: Expand the use of minimum cybersecurity requirements, enable public-private collaboration, and defend and modernizing Federal networks and policies.
- Disrupt and dismantle threat actors: Employ all tools of national power, engage the private sector in disruption activities, and address the ransomware threat via a Federal approach.
- Shape market forces to drive security and resilience: Promote data privacy and security, Keep software providers liable for promoting secure development practices, and promote investments in new secure and resilient infrastructure.
- Invest in a resilient future: Reduce technical vulnerabilities in the internet and digital ecosystem, prioritize cybersecurity R&D, and develop a diverse and robust national cyber workforce.
- Forge international partnerships to pursue shared goals: Leverage international coalitions and partnerships to counter threats, increase the capacity of partners to defend themselves against cyber threats, and work with allies and partners to create global supply chains for technology and services.
Organizations Are on Offense and Defense
Advances in cybersecurity measures are never a bad thing. But what else does this new strategy mean for organizations? With additional cyber governance rules scheduled to be released in April, corporate boardrooms are looking at perhaps one of the largest evolutions since the Sarbanes-Oxley Act in 2002.
Mitigating cyber risk and making cyber defense fiscally achievable is a main focus of the White House’s new strategy:
Our goal is a defensible, resilient digital ecosystem where it is costlier to attack systems than defend them, where sensitive or private information is secured and protected, and where neither incidents nor errors cascade into catastrophic, systemic consequences.
Businesses exist in a world of inter-dependent cyber risk that progressively increases by the continual growth of systems. Risk is distributed across all organizations involved, but the mitigations are not. This strategy raises the bar on enterprise risk management by making systemic risk everyone’s problem: If you introduce systemic cyber risk to another, you—and not the end users—are now more liable for it.
More simply put: The stakeholders who built the software that failed to prevent a bad outcome are responsible for those same said bad outcomes, not the end users who are the ones dealing with the consequences. The organizations that have created the risk environment are being held accountable for what they have created, leading to a greater responsibility for understanding and mitigating risk that may extend beyond the four walls of the company.
The best defense in this case is a good offense, eliminating risk before it has a chance to destroy a system. This could include disrupting risk at its source, or eliminating risks from systems before they can be exploited.
What to Do Right Now
While the White House National Cybersecurity Strategy is not yet law, it is something worth paying attention to. The strategy may be used as a basis for creating regulations and guidelines for businesses to follow. Those already complying with the recommendations may find themselves better positioned to comply with any upcoming regulations. Overall, the National Cybersecurity Strategy should be viewed as a roadmap for improving cybersecurity across the country for both the public and private sectors. Aligning efforts with the strategy can only help businesses better protect themselves and everyone they do business with.
Improve your cybersecurity work with the help of PKWARE. Request a demo to learn more.