The US National Cybersecurity Strategy is out.

The White House this morning released the National Cybersecurity Strategy, planned to “secure the full benefits of a safe and secure digital ecosystem for all Americans,” said the executive branch in a fact sheet also released today. The strategy refocuses roles, responsibilities, and resource allocations in the digital ecosystem, with a five pillar approach.

Intentions and vision behind the 2023 US strategy.

The White House shared that two primary focus areas of the strategy are to “rebalance the responsibility to defend cyberspace,” by shifting the burden of cybersecurity away from individuals and onto specialized organizations in the sector, as well as to “realign incentives to favor long-term investments” by balancing threat defense with smart planning and investment. The strategy is planned to prioritize ease and effectiveness of cybersecurity implementation, quick recovery from incidents, and reinforcement of digital values in three points highlighted by the administration: defensibility, resiliency, and values-alignment.

Five principal pillars underpinning the strategy.

The strategy has five core tenets: “Defend critical infrastructure, disrupt and dismantle threat actors, shape market forces to drive security and resilience, invest in a resilient future, and forge international partnerships to pursue shared goals.” The first, defense of critical infrastructure, calls for involuntary cybersecurity requirements for the sector that may see some pushback from those employed in the field, says Edgard Capdevielle, Chief Executive of Nozomi Networks, who shares the hesitation amongst critical infrastructure organizational executives and leadership in implementation of the strategy’s requirements:

"The National Cyber Strategy's non-voluntary requirements for critical infrastructure to increase cybersecurity posture will be met with varying responses from CEOs and Boards alike. While the impetus for a better cyber posture to defend against potential nation-state adversaries is wise and necessary, the ability for these entities to identify the budget and personnel to manage these pieces is going to be difficult. As it is for most companies in this macroeconomic climate. We look forward to working with our U.S. critical infrastructure partners, just as we have with their international counterparts, to meet changing regulatory guidelines with the best defenses and visibility possible."

The Wall Street Journal makes an interesting point in noting that this strategy has a much wider lens than the government seems to have used in recent years. Sectors such as oil and gas pipelines, as well as federal agencies, have been brought into focus on a much smaller scale by the federal government in yesteryear, the Journal writes.

Additional facets of the strategy worth an honorable mention.

The Washington Post makes note of the way the strategy also brings to light the role of US-based services in foreign cyber attacks. The strategy identifies the ways foreign threat actors exploit US-based cloud infrastructure, saying “Often, these services are leased through foreign resellers who have multiple degrees of separation from their U.S.-based providers, hindering the ability of those providers to address abuse complaints or respond to legal process from U.S. authorities.” The Post also notes the strategy’s inclusion of four other initiatives: a potential approach to a federal cybersecurity insurance response in times of catastrophe, “the slow adoption of IPv6,” the White House’s much-needed legislative assistance, and early steps in the development of a strategy implementation plan.

Some experts commend the executive branch’s approach.

Tom Kellermann, Senior Vice President of cyber strategy at Contrast Security, shares his joy at the capabilities allowed by the cyber strategy:

“I am elated to see that the National Cybersecurity Strategy is allowing law enforcement to finally take the gloves off. Cybercrime cartels and spies have been operating with relative impunity for decades. I commend the administration on mandating cybersecurity requirements for critical infrastructures (Cis). This will enhance our defensive posture against systemic destructive attacks. These bold steps coupled with the unprecedented level of information sharing buttress our nation’s national and economic security.”

Bruce Byrd, Palo Alto Networks’ EVP and General Counsel, commends the administration for the strategy’s release:

“The National Cybersecurity Strategy released today is an important step in our shared goal of securing America's digital infrastructure with next-generation cyber defenses. We applaud the Administration for highlighting the benefits of implementing zero trust principles, employing automation and machine learning, and building the cyber workforce of the future.”

Adam Cohn, VP of Worldwide Government Affairs at Splunk, praises the White House for its prioritization of cybersecurity:

“It’s encouraging to see that this administration continues to prioritize cybersecurity, arguably one of the most important topics globally,” said Adam Cohn, VP of Worldwide Government Affairs at Splunk. “Adversaries are more calculated and resourced than ever before, and our government and critical infrastructure must be able to withstand and quickly recover from cyber attacks. This policy showcases that creating a strategy built on resilience is imperative and requires the right technology, people, partnerships and oversight to make it possible.”

Jim Richberg, field CISO for the public sector at Fortinet, highlights the fact that every person plays a role in cyber defense and how the strategy will help define goals for everyone, from governments to individuals:

“It’s encouraging to see the current Administration continue to make cybersecurity a key priority. Ransomware and continued cyberattack are an inevitability. Focusing on prevention is important but not sufficient; this strategy adds the important goal of building systemic resilience, which includes everything from ensuring that critical infrastructure is secure to helping shape international cyber standards and countering cybercrime. This is a whole-of-nation challenge –cybersecurity is national security – and while the burden cannot be shouldered by individuals, companies, or government alone, each has a role. 

"Part of the focus of the new national strategy is on transferring much of the responsibility for mitigating cyber risk away from end-users such as individuals, small businesses and small critical infrastructure operators like local utilities. Such groups are typically under-resourced and short on cyber expertise compared to organizations like technology providers and large corporations or government agencies, who are better able to deal with cyber risks systemically. As the U.S. government works to implement this strategy, ongoing partnership and collaboration between private and public organizations must be integrated into these efforts. 

"Cybersecurity is everyone’s concern. Our national cyber strategy will help define goals and roles for stakeholders ranging from government to individuals. Perfect cybersecurity is unattainable, but the goal we strive for should be focused on building cyber resilience, on maximizing cybersecurity while simultaneously taking steps to minimize the consequences of the inevitable failures that can occur in security. As a nation, we need to plan to succeed, but to be prepared to deal with failure as well.”

While others provide dissenting perspectives on the strategy and its implementation.

Robert DuPree, Manager of Government Affairs at Telos, shares some partial dissent:

“The objectives of the cybersecurity strategy’s five pillars are generally solid, especially the commitments to use every means possible to “disrupt and dismantle” malicious cyber actors and to do more to defend the federal government’s own systems.  But there are some obvious gaps when it comes to implementation of the strategy. Here are three examples that come immediately to mind.

"The push to impose mandatory cybersecurity requirements on additional critical infrastructure sectors will need congressional authorization in some cases, which in the current political environment is a longshot at best.  The Republican House majority is philosophically opposed to new government mandates and is not likely to give the Biden Administration such authority. 

"It’s not enough for critical infrastructure entities to report cyber incidents, as the strategy notes the new law requires. Government agencies must also be able to attribute malicious cyber activities in order to obtain the critical information and intelligence needed to help organizations defend against future attacks.

"Finally, better defending the government’s systems means new funding will be needed from Congress to replace unsecure legacy systems, But that goal will be made more difficult given the desire by many House Republicans to reduce overall discretionary spending to FY 2022 levels.”

Gary Barlet, Federal Field CTO at Illumio, calls attention to the limitations of a ten-year strategy, given the quickly evolving nature of technology: 

“The Biden Administration’s national cybersecurity strategy is a step in the right direction toward making a real and lasting impact on building resilience throughout our critical infrastructure.

“However, having a ten-year strategy simply isn’t effective.

“We understand so little about technologies like quantum and AI today, it's hard to imagine what the impact of technology will be on security in ten years.

“If we’ve learned anything the past few years it’s that breaches are inevitable, so it is essential that organizations, particularly critical infrastructure, reduce their risk to cyberattacks ASAP, not in ten years."