Yesterday, the White House released a new national cybersecurity strategy that shifts the cyber protection burden to software & service providers.
The new National Cybersecurity Strategy (announced here with an online fact sheet and available here via a 39-page strategy document) states that “we must make fundamental shifts in how the United States allocates roles, responsibilities, and resources in cyberspace”, emphasizing that we must “rebalance the responsibility to defend cyberspace by shifting the burden for cybersecurity away from individuals, small businesses, and local governments, and onto the organizations that are most capable and best-positioned to reduce risks for all of us.”
The National Cybersecurity Strategy focuses on five pillars:
Defend Critical Infrastructure, including by:
- Expanding the use of minimum cybersecurity requirements in critical sectors to ensure national security and public safety and harmonizing regulations to reduce the burden of compliance;
- Enabling public-private collaboration at the speed and scale necessary to defend critical infrastructure and essential services; and,
- Defending and modernizing Federal networks and updating Federal incident response policy
Disrupt and Dismantle Threat Actors, including by:
- Strategically employing all tools of national power to disrupt adversaries;
- Engaging the private sector in disruption activities through scalable mechanisms; and,
- Addressing the ransomware threat through a comprehensive Federal approach and in lockstep with our international partners.
Shape Market Forces to Drive Security and Resilience, including by:
- Promoting privacy and the security of personal data;
- Shifting liability for software products and services to promote secure development practices; and,
- Ensuring that Federal grant programs promote investments in new infrastructure that are secure and resilient.
Invest in a Resilient Future, including by:
- Reducing systemic technical vulnerabilities in the foundation of the Internet and across the digital ecosystem while making it more resilient against transnational digital repression;
- Prioritizing cybersecurity R&D for next-generation technologies such as postquantum encryption, digital identity solutions, and clean energy infrastructure; and,
- Developing a diverse and robust national cyber workforce
Forge International Partnerships to Pursue Shared Goals, including by:
- Leveraging international coalitions and partnerships among like-minded nations to counter threats to our digital ecosystem through joint preparedness, response, and cost imposition;
- Increasing the capacity of our partners to defend themselves against cyber threats, both in peacetime and in crisis; and,
- Working with our allies and partners to make secure, reliable, and trustworthy global supply chains for information and communications technology and operational technology products and services.
In addition to a detailed discussion of the five pillars, the 39-page National Cybersecurity Strategy document also includes a brief Implementation section, discussing assessing effectiveness through a data-driven approach, incorporating lessons learned from cyber incidents like Log4j, and increasing private sector investment in security, resilience, improved collaboration, and research and development.
Coordinating the efforts to implement this new cybersecurity strategy are the Office of National Cyber Director (ONCD) in coordination with the Office of Management and Budget (OMB), under the oversight of the National Security Council (NSC). They will make annual reports to the President and the U.S. Congress to highlight the strategy’s effectiveness and provide federal agencies with yearly guidance on cybersecurity budget priorities to help ensure its goals are achieved.
Of course, the key to the success of the program will be how its implemented. The White House has defined the “what”, now the ONCD and OMB will need to implement the “how”. It will be interesting to see how that implementation proceeds.
So, what do you think? Do you think the new National Cybersecurity Strategy goes far enough to define how the US will address today’s cybersecurity challenges? Please share any comments you might have or if you’d like to know more about a particular topic.
Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by my employer, my partners or my clients. eDiscovery Today is made available solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Today should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.