Retaining the online digital ecosystem’s integrity is paramount to the U.S. economy. However, that ecosystem’s safety has lately been under scrutiny, due to rising cyber threats and malicious actors working both domestically and abroad.
Software supply chain risks, known and unknown vulnerabilities, and a general lack of visibility into open-source software dependencies compound the issues. There’s also the chance of hackers working inside an organization, using stolen credentials, and exploiting known vulnerabilities.
To respond to these national cyber risks, the Biden-Harris administration recently unveiled an updated National Cybersecurity Strategy. Announced on March 2, 2023, the presidential decree aims to increase cybersecurity defense for critical U.S. infrastructure. The strategy incorporates tenets from several Executive Orders (EOs) issued within the Biden term and outlines how to standardize cybersecurity practices across agencies.
The National Cybersecurity Strategy will not only raise the bar for government agencies but also for businesses contracting with the U.S. government, as well as its partners and allies. Most notably, the strategy stresses that the market must shift security responsibility from end users and small businesses to cloud software providers — as well as hold them more accountable for breaches. It’s also evident that a zero-trust approach will be necessary to meet these secure-by-design requirements.
Which companies are the most important vendors in cybersecurity? Check out
the Acceleration Economy Cybersecurity
Top 10 Shortlist.
5 Key Takeaways From the Strategy
Our digital technologies can connect society and be used for good, but unfortunately, they also can have darker repercussions. They can enable transnational repression, disinformation, stolen data, harassment and abuse, ransomware, and criminal enterprises. To counteract these threats, the National Cybersecurity Strategy aims to set forth more defensible, resilient, and values-aligned measures.
“We must make fundamental shifts in how the United States allocates roles, responsibilities, and resources in cyberspace,” says the Strategy. These fundamental shifts include moving responsibility to larger organizations most equipped to secure identity, making sound long-term security investments, and encouraging global participation.
The Strategy is organized into five pillars, summarized below.
1. Defend Critical Infrastructure: The plan recognizes that “too much of the responsibility for cybersecurity has fallen on individual users and small organizations.” As such, the organizations best equipped to manage cybersecurity will come to bear more responsibility. This will be enacted through sector-specific regulations and cybersecurity requirements in critical sectors, like oil and gas, water, aviation, and rail.
2. Disrupt and Dismantle Threat Actors: The strategy aims to disrupt adversaries that threaten digital systems. This means responding to cyber incidents like ransomware, prosecuting criminals, and even imposing sanctions on threatening nation-states. This will involve increasing intelligence regarding vulnerabilities and knowledge sharing among the public and private sectors.
3. Shape Market Forces to Drive Security and Resilience: Next, the strategy stresses the need to shape market forces by holding software providers more accountable for protecting the privacy and security of personal data. Other actions include mandating the use of Software Bill of Materials (SBOMs) and establishing Internet of Things (IoT) security labels to uphold accountability.
4. Invest in a Resilient Future: The federal government will also focus on reducing systemic technical vulnerabilities by prioritizing cybersecurity research and development. Some actions include more proactive vulnerability identification, investing in quantum-resistant cryptography, securing our clean energy future, and supporting strong digital identity ecosystems.
5. Forge International Partnerships to Pursue Shared Goals: Lastly, the strategy outlines the U.S.’s goals to collaborate with partner nations on strengthening global cybersecurity. One example initiative is the Declaration for the Future of the Internet. At the time of this writing, 60 member countries have signed the Declaration to promote a “common, democratic vision for an open, free, global, interoperable, reliable, and secure digital future.”
Focus On Zero Trust
Many of the above objectives will hinge on developing core information architectures that trust no one. Zero trust architecture (ZTA) assumes that threats may originate from within a network, and thus treats any request to a system with the same level of scrutiny, regardless of whether it’s an internal employee, external user, device, or server.
The National Cybersecurity Strategy recognizes zero trust as critical to modernizing connected digital systems. “This Administration is committed to improving Federal cybersecurity through long-term efforts to implement a zero trust architecture strategy and modernize IT and OT infrastructure,” it says.
The strategy document goes on to direct agencies “to implement multi-factor authentication, encrypt their data, gain visibility into their entire attack surface, manage authorization and access, and adopt cloud security tools.” Zero-trust principles have also arisen as requirements in EO 14028, “Improving the Nation’s Cybersecurity,” and the National Institute of Standards and Technology’s Secure Software Development Framework.
As one can see, a zero-trust approach incorporates many elements. And it’s good to recognize that zero trust cannot be orchestrated with a single technology but instead necessitates a cultural shift. Frank Domizio, Acceleration Economy cybersecurity practitioner analyst, explains it this way: “Zero trust is not a product that can be bought, a service that can be installed, or a server to put in a rack.” As such, organizations must take a comprehensive approach to instill the creed of “never trust, always verify” into all applications and remove legacy systems that cannot conform to a ZTA.
Final Thoughts: Trust No One
The risks facing digital ecosystems are countless. But most harrowing is the possibility of malicious actors disrupting critical infrastructure, like power plants, water management, or aviation systems. Too often, the underlying structural components of these systems and the cloud services integrated into them do not always embrace a zero-trust approach necessary that effectively thwart abuse. As such, the strategy places the onus on service providers, especially large cloud and software vendors, to fortify their systems.
“Holding vendors liable for software insecurity is a laudable goal and very likely to motivate action,” said Jon Geater, Chief Product, and Technology Officer at RKVST, a leading provider of supply chain integrity, transparency, and trust. However, the devil is in the details, and identifying the origin of security issues still will require additional forethought. “We need to make sure that the whole software and data supply chain is traceable and provable in order to efficiently demonstrate fault and bring issues to a conclusion quickly.”
Yet, not all agree that placing responsibility on large software providers ultimately will benefit end consumers. “This approach isn’t productive and will translate into inflated pricing that gets passed down to consumers,” said cybersecurity expert Cyrus Walker. “You can spend billions on a system, but all it takes is one person to give away the password and it’s over. It’s not about who’s using the devices, it’s about who’s using them securely.”
Want more cybersecurity insights? Subscribe to the Cybersecurity as a Business Enabler channel: