New US National Cyber Security Strategy

The White House has published a National Cybersecurity Strategy calling for comprehensive regulation of the nation's vital services. This is based on a growing recognition that the US economy can no longer rely upon voluntary cyber security measures which have failed to prevent the enormous economic losses caused by surging ransomware attacks.

The report provides a road map on how the US will defend against the rapidly growing number of online threats. 

"Cyber security is essential to the basic functioning of our economy, the operation of our critical infrastructure, the strength of our democracy and democratic institutions, the privacy of our data and communications, and our national defense," President Joe Biden writes in the introduction to the strategy. 

The 38-page document describes how the voluntary cyber security measures in place today have produced “inadequate and inconsistent outcomes” as it calls for stronger regulation to protect “critical infrastructure.” The White House also says that there have been "inadequate and inconsistent outcomes" across critical infrastructure like energy pipelines, food companies, schools and hospitals. The document comes on the heels of major cyber incidents, including a massive ransomware attack at the largest meat supplier and many more ransomware attacks.

This new strategy is led by the Office of the National Cyber Director in the White House, calls out China, Russia, Iran and North Korea for aggressive cyber tactics exhibiting "reckless disregard for the rule of law" and elevates ransomware attacks, such as the 2021 Russia-linked cyber attack on the Colonial pipeline

"For government, we have a duty to the American people to double down on tools that only government can wield, including the law enforcement and military authorities, to disrupt malicious cyber activity and pursue their perpetrators," Acting National Cyber Director Kemba Walden told reporters.

The report's authors appear to doubt that the US criminal justice system is able to deal with the challenge alone and it is likely that government will use its other powers, including sanctions, to defend against foreign cyber criminals. "We want to shrink the surface of the earth in which people can conduct malicious cyber activity with impunity, to put pressure on them and make their lives a little bit less pleasurable... if a criminal is restricted to living in Russia and can't leave the borders, then perhaps that might create a bit of a deterrent effect." a senior official has said. 

According to the White House strategy, it is China that "now presents the broadest, most active, and most persistent threat to both government and private sector networks and is the only country with both the intent to reshape the international order and, increasingly, the economic, diplomatic, military, and technological power to do so."

China's growing cyber capabilities have prompted growing concerns about attacks on US telecommunications, mass-pollution of American waterways and targeting of the US power grid.  "Attacks against our critical infrastructure in the event of a Chinese invasion of Taiwan is unfortunately not farfetched," CISA Director Jen Easterly recently said.   

The new cybersecurity roadmap is intended to shift the burden of cyber risk beyond consumers and ensure "companies are not trapped in a competition to underspend their peers on cybersecurity." The US governmnet has  already started cyber security mandates intended to protect oil and gas pipelines, and shore up rail and aviation sectors. 

Officials have previewed plans for the Environmental Protection Agency (EPA) to issue a rule for the water sector. A 2021 survey of 606 drinking and waste-water organisations by the Water Sector Coordinating Council found half spent less than 5% of their budget on IT security. "We must begin to shift liability onto those entities that fail to take reasonable precautions to secure their software while recognising that even the most advanced software security programs cannot prevent all vulnerabilities," the strategy read. 

Most recently, the US Marshals Service had a major cyber attack compromising some of its most sensitive information, including law enforcement materials, and the personal information of employees and potential investigative targets.   

The Congress has already passed laws requiring critical infrastructure owners and operators to report to the federal government within 72 hours in the event of a major cyber attack. "Where Federal departments and agencies have gaps in statutory authorities to implement minimum cyber security requirements or mitigate related market failures, the Administration will work with Congress to close them," according to the strategy. 

The New Strategy Has Five Elements  

Defend critical infrastructure:    The strategy will set minimum cybersecurity requirements for organisations across all critical infrastructure sectors, while also seeking to expand public-private collaboration and modernise federal networks.

Target and disrupt threat actors:   The administration has vowed to use "all instruments of national power" to target malicious actors, bring more private sector expertise to bear, and continue targeting ransomware "in lockstep with our international partners."  

Use market forces to improve security and resilience:    The administration wants a greater focus on "promoting privacy and the security of personal data" to drive data holders to better secure it, and it wants commercial developers and sellers of software and hardware to be liable if they fail to employ recognized security development practices.    

Invest in resilience:    The strategy highlights the need to reduce vulnerabilities in foundational technology, prioritise research and development for emerging technologies such as "post-quantum encryption, digital identity solutions and clean energy infrastructure," and expand the size of the nation's cyber workforce.

Enhance international partnerships:   Promoting "responsible state behaviour" as well as allies' own cybersecurity resilience and supply chain security remains a goal, as does attempting to impose costs on countries that engage in "irresponsible behaviour," according to the strategy.

Senior Director Cybersecurity Strategy at Menlo Security, Mark Guntrip, commented, ““There’s a lot to unpack in the Strategy, but a good place to start is building resilience in cyberspace. This is going to require organisations to lean on innovative technologies that act as alternatives to the traditional layers of security. We see that focusing on threat prevention ahead of detection and response makes good sense in order to improve overall security effectiveness. Technologies that provide isolation, deception solutions or data micro-segmentation could be starting points.”

National Cyber Director Chris Inglis stepped down from his post last month, retiring after almost two years at the helm of the agency responsible for coordinating a patchwork of agencies and offices tasked with safeguarding the nation's critical infrastructure. President Biden has yet to nominate his replacement. 

The White House:      GovInfoSecurity:     CBS:          BankInfoSecurity:     Forbes:     CNBC

You Might Also Read: 

Crackdown On Ransomware Criminals:

___________________________________________________________________________________________

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible


 

« The US Marshals Service Gets Hacked
Cyber Criminals Are Quick To Use ChatGPT  »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

Exploit Database (EDB)

Exploit Database (EDB)

The Exploit Database is a CVE compliant archive of public exploits and corresponding vulnerable software, developed for use by penetration testers and vulnerability researchers.

CW Jobs

CW Jobs

CWJobs.co.uk is a leading specialist IT recruitment website covering all areas of IT including Cyber Security.

ISTQB

ISTQB

ISTQB has defined the "ISTQB Certified Tester" scheme that has become the world-wide leader in the certification of competences in software testing.

DataVantage

DataVantage

DataVantage data masking and data management software helps you prevent data breaches, pass compliance audits and meet regulatory requirements such as HIPAA and PCI DSS.

Vaddy

Vaddy

Vaddy provide an automatic web vulnerability scanner for DevOps that performs robust security checks to ensure that web app code is secure.

Maryville Online - Cybersecurity Program

Maryville Online - Cybersecurity Program

The Cybersecurity Program at Maryville Online is designed to help students reach opportunities in cybersecurity leadership and management through an entirely online curriculum.

Private Internet Access

Private Internet Access

Private Internet Access is a Virtual Private Network services provider offering secure encrypted access to the internet.

Gradcracker

Gradcracker

Gradcracker is THE careers website for Science, Technology (including Cybersecurity), Engineering and Maths university students in the UK.

PricewaterhouseCoopers (PwC)

PricewaterhouseCoopers (PwC)

PricewaterhouseCoopers is a multinational professional services network of firms headquartered in London, United Kingdom and operating in 157 countries.

Contechnet Deutschland

Contechnet Deutschland

Contechnet Deutschland started as a specialist in the area of IT disaster recovery and has since broadened its portfolio into information security and data protection.

ServerScan

ServerScan

ServerScan specializes in providing server scanning & compliance services to organizations of all types and sizes.

Air IT

Air IT

Air IT are a responsive, client-focused and award-winning Managed Service Provider, helping clients achieve success and transformation through their IT and communications.

CornerStone

CornerStone

CornerStone is an award winning, independent risk, cyber and security consulting firm providing a range of Risk Management, Security Design and Implementation Management Services.

CrossCountry Consulting

CrossCountry Consulting

CrossCountry Consulting is a trusted business advisory firm that provides customized finance, accounting, human capital management, risk, operations and technology consulting services.

Ibento Global

Ibento Global

Ibento organises the CyberX series of cybersecurity conferences.

PureSquare

PureSquare

PureSquare exist to empower people with simple solutions for their increasingly complex digital security & online privacy needs.